Howard  Schmidt’s  Extreme  Makeover 


»  PAGE  44 


LITfLE 
HELP  HERE! 

A  CSO  MEETS  WITH 
OUR  EXECUTIVE 
COACH,  PAGE  38 


ARE  YOU  A 
^  LEADER  OR  A 
0  LAGGARD? 

TAKE  OUR  EXCLUSIVE 
QUIZ,  PAGE  32 


WHAT 
EXCITES  A 
METRIC- 
SEXUAL? 

47  HOT  LITTLE 
NUMBERS  THAT 
WILL  DRIVE  THE 
BOARD  WILD! 
PAGE  34 


OTESOME  SKILLS  FOR  A 
MORE  EFFECTIVE  YOU! 

COVERAGE  BEGINS  ON  PAGE  24 


“I  always  think  what’s  the 
image  I  want  to  portray,” 
says  Michael  Assante,  CSO 
of  American  Electric  Power. 


December  2004  $9.00 
vww.csoonline.com 


Symantec  and  the  Symantec  logo  are  U.S  registered  trademarks  of  Symantec  Corporation.  Symantec  Gateway  Security  is  a  trademark  of  Symantec  Corporation.  Copyright  ©  2004  Symantec  Corporation.  All  rights  reserved; 


iHHI 


- 


ian  you 
security 
mil  ion  s 


i  make  your 
I  cover  60 
square  miles? 


COVERAGE  MOWS  OH 


[out  pragma  And  R'Owuif,  "dlut-ncc 

HANOI  €  WI1 H  CAHE 

*  ,A  A. 

k\  \«SP 

mdu|t«fl>n ciflWj- 


Kt^piTCttAN 
hw»4^J>ywr*l»W 
mwUHmh'.  «*"•»■*''■ 


,hi  «sou«<VO»  Martin  f  »i(.um<s 


buildingthe 

FUTURE CSO 


SPECIAL  ISSUE 


www.csoonline.com 

This  is  a  domestic  rate  only  (US  and  Canada). 

The  foreign  rate  is  $95.00  prepaid  in  U.S.  currency. 


SUBSCRIBE  TODAY! 

Yes,  please  enter  my  one-year  subscription 
(12  issues)  to  CSO  magazine,  and  bill  me 
later  for  $70.00! 


Name 


Title 


Company  Name 


Address 


City 


State  Zip 


□  Bill  me  □  Bill  my  credit  card  □  MC  □  VISA  □  AMEX 


Account  Number  Expiration  date 


Signature 


CIN05 


POSTAGE  WILL  BE  PAID  BY  ADDRESSEE 


cso 

ATTN:  CIRCULATION  DEPARTMENT 
PO  BOX  9014 

FRAMINGHAM  MA  01701-9836 


1 1 1 1 1 1 1 1 


ml 


liiiiiillliliiliiliiilliillinlilil 


It’s  a  big  world  out  there,  and  your  remote  offices  can  be  all  over  it.  But  no  matter 
where  they  are,  you  can  keep  them  secure  with  the  Symantec™  Gateway  Security 
5400  Series  and  Symantec™  Gateway  Security  400  Series  appliances.  Install  the 
5400  Series  in  your  main  office  and  the  400  Series  in  your  smaller  locations  and 
you’ll  have  comprehensive  gateway  protection  wherever  you  need  it.  To  learn  how  to 
protect  your  company’s  critical  information,  go  to  http://ses.symantec.com/appliances 
or  speak  with  your  Symantec  Certified  Partner. 


mu  DROP  f  8C 

mm  z  i  so 
mi  m  z  .50 

FXnW'SJnrr.rjr.  50 

.WMSSMIIJillW  25.00 


Even  if  everyone  knew  about  the  problem,  would  anyone  know  the  solution? 


Little  wonder  there's  friction  between  a  lot  of  application 
developers  and  network  managers.  And  just  adding 
another  point  solution,  code  fix  or  new  addition  to  the 
server  farm  isn't  going  to  improve  things. 

What  you  need  is  a  true  solution.  One  that  you  can 
easily  implement  that's  not  only  the  answer  now,  but 
for  whatever  the  future  brings.  A  solution  that  makes 


Web-based  applications  are  critical  to  your  success. 
But  the  reality  is,  most  aren't  doing  their  job  as  intended. 

They're  compromised  by  performance  issues,  security 
fears  and  mushrooming  costs  that  have  nothing  to  do 
with  their  real  role  in  life,  and  everything  to  do  with 
trying  to  coexist  with  a  network  too  focused  on  con¬ 
nectivity  and  not  nearly  adaptable  enough. 


the  network  aware  of  the  application  and  gives  it  the 
intelligence  to  interact  with  the  application.  And  is  so 
comprehensive  it  gives  you  complete  control  over  who 
gets  access  from  where  and  when,  and  can  actually 
identify  and  filter  application-level  cyber  attacks. 

It's  application  traffic  management  taken  to  the  next  level. 
An  approach  that  unifies  all  the  application  optimization, 


availability  and  security  you  need  in  one  cohesive  archi¬ 
tecture  you  can  customize  to  specific  business  policies. 

It's  something  that  could  have  only  come  from 
a  deep  understanding  of  both  the  network  and 
the  application.  Which  is  why  it's  only  from  F5. 

For  more  information,  call  866-440-0192  or 
visit  www.f5.com/csotaxi. 


24  Show  Time  for  Security 

INTRODUCTION  Sure,  image  isn’t  every¬ 
thing.  But  in  security,  projecting  the 
right  image  helps  get  the  job  done. 

By  Sarah  D.  Scalet 

26  Secrets  of  Their 
Success 

MANAGEMENT  TIPS  It  takes  more  than 
knowledge  and  experience  to  excel. 

Five  top  CSOs  share  their  tips  for  put¬ 
ting  forward  a  positive  message— in 
appearance,  word  and  deed. 

32  What  Type  of 
Leader  Are  you? 

SELF-ASSESSMENT  Take  this  quiz  to 
find  out  if  they  love  you— or  loathe  you. 
By  Derek  Slater 


34  Build  Business  Cases 
Like  Steel  Pistons! 

METRICS  FITNESS  A  quick  and  dirty 
guide  on  how  to  use  numbers  to 
strengthen  your  case. 

By  Sarah  D.  Scalet 


44  Mr.  Schmidt 
Goes  to  Barneys 

MAKEOVER  Sure,  he  looks  great.  But 
was  Howard  Schmidt’s  makeover  a 
premeditated  image  play  or  an  acci¬ 
dental  upgrade?  By  Scott  Berinato 


38  One  Day  to  a  Better  You  46  Security  Sells 


SELF-IMPROVEMENT  An  executive  coach 
takes  an  up-and-coming  CSO  on  a 
whirlwind  self-improvement  spree. 

By  Todd  Datz 


MARKETING  Some  companies  are  so 
serious  about  security,  they  try  to  make 
it  part  of  their  corporate  image. 

By  Malcolm  Wheatley 

52  Mad  About  You 

FICTION  Two  security  executives— one 
a  “cop,”  the  other  a  “geek”— work  hard 
to  find  mutual  understanding. 

By  Todd  Datz 


Cover  photo  by 
Dan  Cook 


COLUMNS 

22  Up  and  Running 

SECURITY  COUNSEL  John  Medaska,  vice 
president  of  business  development  at 
Relational  Technology  Services  and 
president  of  the  Tampa  Bay  InfraGard, 
answers  readers’  questions  about  busi¬ 
ness  continuity. 

60  Revenge  of  the 
PKI  Nerds 

CSO  UNDERCOVER  Wherein  a  very 
patient  CSO  hatches  a  plan  to  revive  a 
technology  thought  to  be  dead. 


DEPARTMENTS 

13  Briefing 

Allstate’s  security  awareness  fair;  Con¬ 
verging  credentials;  Chicago’s  new  sur¬ 
veillance  system;  Top  10  indicators  your 
facility  is  being  watched;  Employees  as 
first  responders. 

20  Wonk 

Biometrics  by  Fire:  From  iris  scans  to 
fingerprints,  three  DHS  pilot  programs 
have  created  a  high-profile  test  bed  for 
biometrics  technology.  By  Al  Sacco 


57  Machine  Shop 

Packet  flows  can  help  you  monitor  your 
network,  trace  a  hacker’s  footsteps  and 
see  how  your  VPN  is  used. 

By  Simson  Garfinkel 

TOOLBOX  Of  Padlocks  and  Passwords 

64  Debriefing 

TOY  SWORDS  AND  BLADDER  INFECTIONS 

The  Year  in  Stupid  Security. 


4  www.csoonline.com  December  2004 


I 


All  In  a  Day’s 


Photo  ID 

7:42  AM 

Verify  your  identity  to  the 
parking  entrance  guard  by 
presenting  your  photo  ID  card 
with  the  company’s  hologram. 

Access  Control 

7:49  AM 

Open  the  door  to  your  facility 
with  HID’s  125  kHz  proximity, 
the  technology  that  opens 
thousands  of  doors  each  day! 

Logical  Access 

9:02  AM 

Use  your  contact  smart 
chip  module  to  log  on  to 
the  network  and  access  your 
PKI  applications. 


Cashless  Vending 

11:53  AM 

It’s  make-your-own- 
taco  day,  and  your  card’s 
magnetic  stripe  works  with 
the  legacy  system  in  the 
cafeteria. 

Biometrics 

2:02  PM 

Gain  access  to  high- 
security  areas  in  your 
building  using  your 
fingerprint,  handprint,  or 
iris  -  HID  can  store  your 
biometric  template  on 
your  card  using 
13.56  MHz  iCLASS 
contactless  smart  card 
technology! 

Time  & 
Attendance 

5:15  PM 

After  a  productive  day’s 
work,  clock  out  with  your 
card  —  time  to  relax! 


iCLASS 

by 

HID 

©  2004  HID  Corporation.  All  rights  reserved. 


Proximity.  Multi-Technology  Cards.  iCLASS . 

The  sort  of  sensible  ingenuity  you’d  expect  from  HID  - 
the  M^^lwide  leader  in  access  control. 

ww.  HIDCorp.com/work 

" _ A  .  ■■  -  y  t  ■■■■■■■■ 


Smart.  Powerful  Trusted \ 


Not-So-Splendid  Isolation 

Consultant  Thornton  May  has  had  it 
with  most  CSOs,  who  he  believes  are 
isolated  from  other  executives  because 
they  are  too  technical  and  just  don’t 


understand  business.  Is  this  an  image 
problem,  or  is  there  more  to  it?  What's 
muddling  your  message?  Read  TALK 
BACK  and  then  tell  us  what  you  think. 
www.csoonline.com/printlinks 


of  CSOs  say  that 
managers  at  all  levels 
of  their  organization 
understand  their  roles 


Change  Your  Image, 
Change  Their  Minds 

Once  you’ve  read  this  issue,  you’ll  not 
only  look  the  part  of  a  business  execu¬ 
tive,  but  you’ll  have  a  better  grasp  of 


and  responsibilities 
in  regards  to  security, 
up  from  just  18  percent 
in  2003. 


SOURCE:  CSO  RESEARCH,  STATE  OF  THE  CSO  2004. 
READ  MORE  STATISTICS  IN  THE  FULL  REPORT  AT 
WWW.CSOONLINE.COM/CSORESEARCH. 


Succession 

Executive  coaches  can  polish  those 
who  are  CSO-ready  (see  “One  Day  to  a 
Better  You,”  Page  38),  but  what  about  the 
rest?  Grooming  your  successor  requires 
a  substantial  investment  of  time,  a 
sincere  interest  in  employee  develop¬ 
ment  and  a  dash  of  humility.  Read 
“Natural  Selection”  from  the  June  2004 
issue  for  advice  on  guiding  your  best  and 
brightest  into  the  executive  suite.  Go  to 
www.csoonline.com/printlinks. 


“There  is  no  ‘magic  bullet’ 
to  achieving  communication. 
Rather;  it  comes  down  to 
plain  hard  work.” 


-JOHN  COLLIGAN,  DIRECTOR  OF  ADMINISTRATIVE  SERVICES,  AMERICAN  BIBLE  SOCIETY,  FROM  “HOW  DO 
YOU  COMMUNICATE  THE  VALUE  OF  SECURITY?"  WWW.CSOONUNE.COM/TALKBACK/091404.HTML 


the  skills  needed  to  get  your  message 
across.  Now  you’re  ready  for  the  next 
step:  changing  minds.  Howard  Gard¬ 
ner  has  seven  tips  for  you.  Read  “How 
to  Change  People’s  Minds”  from  the 
June  2004  issue. 
www.csoonline.com/printlinks 


The  Leadership  Portfolio 

Projecting  a  strong  image  is  but  one 
characteristic  of  a  good  leader.  For 
more  in-depth  coverage  of  topics  such 
as  ethics,  executive  relationships  and 
staffing,  visit  our  LEADERSHIP 
&  BUSINESS  Research  Center. 
www.csoonline.com/printlinks 


Something  for  Nothing 

CSO  newsletters  are  delivered  right 
to  your  inbox  for  free.  Sign  up  for 
newsletters  on  CSO  careers,  leadership 
and  technology,  or  just  stay  in  tune 
with  the  most  recent  updates  to 
CSOonline.com.  Sign  up  now. 
www.csoonline.com/newsletters 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


President  and  CEO  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Editor  Derek  Slater 
Managing  Editor  Michael  Goldberg 
Managing  Editor,  Production  Cheryl  R.  Asselin 
Senior  Editors 

Scott  Berinato,  Todd  Datz,  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Departments  Editor  Kathleen  S.  Carr 

Contributors  Lauren  Horwitz, 

John  Medaska,  Malcolm  Wheatley 

COPY  TEAM 

Senior  Copy  Editors 
Diann  Daniel,  Emily  S.  Henderson 

Copy  Editor  Cathy  Mallen 
Assoc.  Copy  Editor  Daniel  John  Robinson 
Editorial  Assistants 

Daniel  J.  Horgan,  Margaret  Locher,  Al  Sacco 

RESEARCH  &  PROJECTS 

Research  Editor  Lorraine  Cosgrove  Ware 
Editorial  Resource  Manager  Carol  Zarrow 
Associate  Research  Analyst  Julie  Hanson 
Special  Projects  Manager  Lynne  Z.  Rigolini 

DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Associate  Art  Director  Chandra  Tallman 
Design  Operations  Specialist  Rachel  Barnett 

ONLINE  EDITORIAL 

Web  Editorial  Director  Art  Jahnke 
Consulting  Editor  Janice  Brand 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

ONLINE  &  INFORMATION  SYSTEMS 

Chief  Information  Officer  Mark  Hall 

ONLINE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
E-Commerce  Manager  Andrew  Burrell 
Online  Production  Specialist  Rupal  Patel 

Online  Producers  Todd  Borglund, 
Shannon  Macdonald,  Jen  McCarthy 

Designer  Graham  White 

INFORMATION  SYSTEMS 

Director  of  Information  Technology  Dagmar  Eiben 
Infrastructure  Manager  James  C.  Burgoyne 
User  Services  Manager  Ron  Bettencourt 

Senior  User  Services  Specialists 
Michael  Fahlsing,  Jonathan  Frappier 

Systems  Administrator  Robert  Reagan 

Senior  Web  Developers 
Sean  McCracken,  Ellen  Morey 

Associate  Web  Developer  Anthony  Servideo 

CHIEF  SECURITY  OFFICER 
CXO  MEDIA  INC./IDG 

Robert  Hayes 


CXO  MEDIA  INC. 


INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
CEO  Pat  Kenealy 


BPA 

WORLDWIDE 


6  www.csoonline.com  December  2004 


©  CXO  Media  Inc. 


[fffilu+h  enex 


One-Time  Password 


Rjll  PKI  Support 


Strong  Authentication 


The  Authenex  A-Key  hybrid  token  offers  USB  and  one-time 
password  functionality  for  your  company’s  strong  two- 
factor  authentication  needs.  Whether  those  needs  are  VPN, 
LAN,  or  Web,  the  Authenex  A-Key  works  in  conjunction  with 
the  ASAS  authentication  server  to  offer  strong  two-factor 
authentication  with  or  without  PKI.  The  A-Key  also  provides 
128-bit  AES  encryption  and  secure  file  exchange.  The  only 
solution  that  delivers  total  mobility  and  maximum  flexibility  is 
waiting  for  you. 


e-Security 
Less  Overhead 


Hard  Disk /File  Encryption 

1  «' 

Secure  File  Exchange 


Available  Now! 

Get  your  free  evaluation  A-Key  now* 

Visit  www.authenex.com/cso  or  call  1  877.288.4363 


Total  Mobility 


metdinfo 


Microsoft 

C  E  R  T  I  F  I  E  0 


V^riSign" 


’  Certain  terms  and  conditions  may  apply. 

©  Authenex.  Inc,  All  rights  reserved  Authenex,  A-Key  and  associated  logos  are  registered  or  unregistered 
trademarks  ol  Authenex,  Inc  All  other  trademarks  in  this  document  are  the  sole  property  ol  their  respec¬ 
tive  owners. 


Are  We  Converged  Yet? 

Dan  Geer,  who  applies  his  mathematical  understanding  of 
risk  to  problems  of  cybersecurity,  once  observed  that  “a  fair 
percentage  of  risk  management  is  naturally  drawn  to  where 


the  risks  are  unmanaged;  and  that  sure  as  hell  is  information.” 

If  the  natural  job  of  CSOs  is  to  identify  and  address  significant  areas  of 
unaddressed  risk,  we  would  expect  their  attention  to  focus  powerfully  on  info- 
security.  And  yet,  as  security  continues  its  evolutionary  path  toward,  we  believe, 
a  converged  model  of  governance— the  blissful  state  of  unification  between 
infosec  and  traditional  disciplines— it  still  founders  on  unproductive  mistrust 
and  legacy  attitudes.  (This  is  not  the  first  column  I  have  devoted  to  this  topic, 
more  like  the  third  and  probably  not  the  last.) 

We  recently  looked  at  a  survey  of  CSO  readers,  conducted  by  an  independent 
research  firm  whose  main  purpose  was  to  measure  the  strength  of  responses  to 
advertising  and  editorial  content.  Included  in  the  report  were  verbatim  com¬ 
ments  from  readers  about  their  overall  impressions  of  the  magazine.  Happily, 
most  of  those  surveyed  like  us  just  fine.  But  interestingly,  we  discerned  a 
greater  tolerance  among  infosec  types  for  coverage  of  noninfosec  topics— and 
conversely,  a  marked  intolerance  among  traditional  security  types  for  coverage 
of  infosecurity.  If  Dan  Geer  is  right,  if  security  governance  is  largely  a  matter  of 
risk  management,  shouldn’t  there  be  an  insatiable  hunger  among  all  security 
executives  for  insight  into  the  unaddressed  risks  of  infosecurity? 

These  verbatims  are  admittedly  an  unscientific  body  of  evidence.  But  they 


join  with  other  aggregated  conversations  we’ve  had 
with  our  readers,  in  which  we  hear  way  too  many 
snarky  rejoinders  tossed  across  the  divide  between 
traditional  and  infosecurity  camps.  And  camps  are 
apparently  what,  too  often,  they  are.  Can  someone 
please  explain  to  me  why  this  is? 

The  great  importance  of  achieving  convergence  plays 
out  in  a  public  way  within  the  Department  of  Home¬ 
land  Security,  where  there  has  been  a  persistent  strug¬ 
gle  to  give  cybersecurity  the  weight  it  demands.  Most 
recently,  Amit  Yoran  resigned  his  post  as  DHS’s  cyber¬ 
security  czar.  Though  Yoran  himself  has  declined  to 
confirm  that  his  departure  was  caused  by  frustrations 
over  a  lack  of  agency  commitment  to  moving  the 
cybersecurity  agenda  forward,  others  spoke  freely 
about  a  climate  of  political  backwatering  in  which 
Yoran’s  position  was  three  levels  removed  from  DHS 
Secretary  Tom  Ridge. 

The  point  here  is  not  to  argue  that  cybersecurity 
ought  to  be  given  more  prominence  (though  in  many 
cases  it  should).  It  is  to  argue  that  security  ought  to  be 
seen  holistically,  in  which  model  cybersecurity  would 
transcend  its  bucketed  status.  Indeed,  considering  IT 
or  any  other  kind  of  security  in  isolation  from  the  rest 
is  a  serious  misunderstanding  of  the  larger  purposes 
of  security  as  a  broad  strategic  activity. 

In  our  view,  convergence  can’t  come  soon  enough. 

-Lew  McCreary 
nicer eary  @  cxo.com 


8 


www.csoonline.com 


December  2004 


PHOTO  BY  WEBB  CHAPPELL 


Just  think  how  happy  your  competitor  is... 
getting  your  customer  information  for  $50  was  a  real  steal. 


Have  you  considered  the  risk  of  leaving  corporate  data  on  obsolete  computer  hard  drives  before  selling  the  equipment 
into  the  secondary  market?  When  an  old  piece  of  IT  equipment  is  sold,  donated,  or  given  to  an  employee,  your 
corporate  and  customer  information  may  inadvertently  get  into  the  wrong  hands.  Not  to  mention,  the  financial, 
competitive,  legal,  and  environmental  risk  a  technology  disposal  may  pose  for  your  organization. 


With  RetroBox,  IT  disposal  is  a  process,  not  an  event.  Our  professional  services  ensure  that  your  corporate  and 
customer  information  is  secure  and  your  environmental  liability  eliminated.  Let  RetroBox  make  IT  disposal  a 
seamlessly  managed  process  for  your  organization.  In  fact,  RetroBox  will  reduce  your  IT  disposal  costs. 


retrobox.com 


For  more  detailed  information  about  RetroBox  IT  Disposal  Services,  visit 
www.retrobox.com/inforequest.com  or  phone  800.393.7627  ext.  4805. 


csoletters@cxo.com 


Know  Your  Employee 

In  October,  we  published 
“Anatomy  of  a  Fraud,”  the 
true  story  of  a  victim  of  an 
ail-too-common  corporate 
security  risk.  Some  read¬ 
ers  sympathized  with  the 
victim,  but  more  reminded 
us  not  to  trust  anyone 
solely  on  merit.  Lesson 
reiterated,  check  employ¬ 
ees’  backgrounds. 

INTERESTING  READING  AND  A  WAKE- 

up  call  not  to  forget  the  basics  of  control 
and  check.  The  placement  agencies  should 
vet  candidates  before  offering  them  to 
clients.  Even  the  person  hiring  should  do 
his  own  check. 

KAMESHWAR  MISHRA 

Manager,  Corporate  Recovery 
KPMG,  Kenya 

THE  PROCESSES  AND  SYSTEMS 

should  be  in  place  for  the  protection  of  the 
consumer  by  the  various  “trusted”  enti¬ 
ties— in  this  case,  banks  and  employment 
agencies.  The  reason  for  threats  of  lawsuits 
is  to  awaken  these  entities  to  choose  to  use 
the  more  secure  processes  on  their  own, 
before  someone  finds  them  liable  for  major 
problems.  For  the  entities  to  settle  (like  the 
bank)  or  to  fight  on  such  plain  issues  (like 
the  employment  agency)  seems  to  indicate 
that  our  society  is  not  ready  to  do  the  right 
thing  for  the  right  reasons.  Rather,  we 
would  continue  to  do  the  cheap  and  doable 
under  the  pretext  that  we  are  increasing 
our  bottom  line,  and  pay  the  fines  because 
we  still  look  good  on  our  balance  sheet. 

CAESAR  ABCARIUS 

Manager,  Security  Unit 
California  Dept,  of  Corrections 

We  want  to  hear  from  you. 

To  respond  to  articles  you've  read  in  CSO,  write 
to  us  at  csoletters@cxo.com.  We  welcome  your 
criticism,  thoughts  and  suggestions. 


Industrial  Controls 

In  August,  Senior  Editor 
Todd  Datz  wrote  “Out  of 
Control,”  which  described 
the  potential  dangers 
in  industrial  control 
systems— namely,  a  loss 
of  control. 

DATZ  IS  CORRECT  IN 

pointing  out  that  informa¬ 
tion  security  does  not  stop  with  IT.  The 
proliferation  of  open  systems  and  the 
merging  of  IT  and  production  automation 
environments  naturally  increase  the  expo¬ 
sure  of  manufacturers  and  infrastructure 
operators  to  a  variety  of  potential  security 
issues.  The  thin  veil  of  security  through 
obscurity  that  proprietary  and  isolated 
architectures  enjoy  is  being  lifted  by  the 
many  benefits  that  openness  and  interop¬ 
erability  are  driving.  This  shouldn’t  be 
cause  for  panic,  but  manufacturers  and 
other  automation  users  need  to  take  a  hard 
look  at  whether  they  are  taking  appropri¬ 
ate  security  measures.  The  key  word  is 
“appropriate.” 

GLENN  B.  SCHULZ,  CISSP 

Director,  Maintenance  and 
Security  Businesses 
Rockwell  Automation 

Checks  and  Balances 

In  August,  we  wrote  about  the  need  for 
CSOs  to  monitor  their  companies’  back¬ 
ground  check  policies.  Sometimes  the 
background  checks  aren't  as  thorough  as 
they  should  be.  This  reader  disagreed, 
citing  the  strength  of  such  checks. 

IN  DEFENSE  OF  EMPLOYEE  SCREEN- 

ing  with  regard  to  “Bad  Checks,”  sensation¬ 
alized  accounts  of  background  check  errors 
and  resulting  legal  action  provided  for  dra¬ 
matic  reading,  but  did  not  accurately  por¬ 
tray  the  checks  and  balances  in  place  in  the 
employee  screening  sector.  Readers  might 
get  the  impression  that  background  checks 
are  fraught  with  errors,  but  they  are  not. 


How  to  Reach  Us 

E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

phone:  866  354-1125 
fax:  847  564-9453 
e-mail:  cso@omeda.com 

REPRINTS 

Reprints  are  available  by  calling  Reprint  Services 
at  651  582-3834,  or  via  e-mail  at 
csoreprints@reprintservices.com. 

ABOUT  IDG  International  Data  Group  (IDG),  the  lead¬ 
ing  global  provider  of  IT  media,  research,  confer¬ 
ences  and  events,  informs  more  people  about 
technology  than  any  other  company  in  the  world. 
Offering  the  widest  range  of  media  options,  IDG 
reaches  more  than  120  million  technology  buyers  in 
85  countries  representing  95  percent  of  worldwide 
IT  spending.  IDG  publishes  more  than  300  newspa¬ 
pers  and  magazines  in  85  countries,  led  by  the  Com- 
puterworld,  Infoworld,  Macworld,  Network  World,  PC 
World  and  CIO  global  product  lines.  IDG  offers  online 
users  the  largest  network  of  technology-specific  sites 
around  the  world  through  IDG.net  ( www.idg.net ),  a 
gateway  to  IDG's  330  websites  powered  by  more 
than  2,000  journalists  reporting  from  every  continent 
in  the  world.  IDG  also  produces  168  technology- 
related  conferences  and  events,  and  research  com¬ 
pany  IDC  provides  global  market  intelligence, 
analysis  and  forecasts  in  43  countries. 

Given  the  volume  of  employee  screenings 
performed  industrywide,  the  incidence  of 
faulty  data  and  legal  action  is  exceptionally 
small.  For  example,  the  incident  cited 
involving  our  firm  has  been  the  only  such 
incident  in  our  15-year  history— a  history 
during  which  we  have  performed  more 
than  10  million  searches. 

The  article  touched  on  the  role  of  the 
Fair  Credit  Reporting  Act,  but  I  think  it 
minimized  the  importance  of  these  federal 
guidelines  in  protecting  employers  and  the 
public  by  giving  job  applicants  the  opportu¬ 
nity  to  dispute  data  before  adverse  employ¬ 
ment  action  is  taken. 

STEFAN  KELLER 

President 

Business  Information  Group 


10  www.csoonline.com  December  2004 


@2004  RSA  Security  Inc.  All  rights  reserved.  RSA,  RSA  Security,  and  SecurlD  are  either  registered  trademarks  or  trademarks  of  P.SA  Secunty  Inc.,  in  the 
United  States  and/or  other  countries.  Microsoft  and  Windows  are  either  registered  trademarks  or  trademarks  of  Microsoft  Corporation  in  the  United 
States  and/or  other  countries.  All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies 


Confidence  Inspired 


www.rsasecurity.com/securid 


June  1992 

Secured  dial-up  connection 
to  the  office  from  a  convention 
in  Phoenix. 


December  1999 

Safeguarded  VPN  access 
12  miles  outside  of  Aspen. 


Smart 


Move. 


October  2004 

Protected  Microsoft®  Windows® 
desktop  while  in  a  holding 
pattern  over  LAX.  No  passwords. 
No  problem. 


'  ''M 


Predict 


Virus  Outbreaks? 


Believe  it. 


VIRUS 
OUTBREAK 
FILTERS  “ 


Today’s  email  borne  viruses  propagate  globally  in  hours  or  minutes, 
much  faster  than  traditional  defenses  can  react,  leaving  you  exposed  to 
the  “reaction  time  gap”  IronPort’s  Virus  Outbreak  Filters™  stop  viruses  up 
to  8  hours  before  traditional  virus  definition  files  are  available,  literally 
predicting  virus  attacks  before  they  cause  harm.  This  astounding  solution  is  powered  by 
a  series  of  proprietary  algorithms  that  process  data  from  SenderBase™  the  world’s  first 
and  largest  email  traffic  monitoring  network.  Available  now  at  www.ironport.com/leader 


IRONPORT 


Rebuilding  the  World’s  Email  Infrastructure. 


®  Copyright  2004  IronPort  Systems,  Inc. 


www.ironport.com/ieader 


Kim  Van  Nostern, 
CISO  of  Allstate 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  S.  Carr 


Awareness 


At  Allstate,  security  is 
cause  for  a  carnival 


COMMUNICATION  STRATEGIES  When 
Kim  Van  Nostern,  Allstate’s  CISO,  wants  to  get  the  security 
message  out,  she  organizes  a  fair. 

Security  Awareness  Day,  the  brainchild  of  senior  man¬ 
agers  in  information  security  with  help  from  the  entire 
infosec  staff,  began  as  a  small  affair  in  2001.  By  2003,  that 
small  affair  had  swelled  to  include  3,000  employees. 

The  event,  which  costs  up  to 
$50,000,  is  held  at  headquarters  in 
Northbrook,  III.,  and  at  two  major  field 
locations.  Some  sessions  are  viewed 
at  other  sites  through  videoconferenc¬ 
ing.  In  2004,  Allstate  used  streaming 
video  for  the  keynote  speech  so  that 
employees  could  watch  the  presenta¬ 
tion  at  their  desktops. 

Allstate  employees  visit  booths 
created  and  staffed  by  information 
security  employees.  There’s  also  a 
security  theater  and  special  sessions 
on  hacking,  cryptography,  privacy, 
spam  and  other  topics.  The  fair  is  held 
indoors  in  cafeterias,  conference 


ATE’S  CARNIVAL 
COST:  $30,000 
to  $50,000 

ATTENDANCE: 
3,000  employees 
and  invited  guests 


EXHIBITS: 
hacking,  cryptograpl 


CSO  SECURITY  CHECK 


What  image  do  you  think  you 
portray  at  your  company? 


Guard 


Percentages  based  on  157  responses. 
CSO  Security  Check  is  an  open  weekly  poll 
on  www.csoonline.com.  To  read  more 
about  your  image,  see  “Secrets  of  Their 
Success,"  Page  26. 


rooms  and  auditoriums. 

The  aim  of  the  fair  is  to  make 
employees  aware  of  their  secu¬ 
rity  roles.  For  two  years,  All¬ 
state’s  theme  has  been,  “Think 
globally,  act  locally.”  Van  Nos¬ 
tern  says  she  wants  workers  to 
understand  that  hacker  threats 
can  originate  from  anywhere 
and  to  know  that  they  have  a 
“local”  responsibility  to  follow 
basic  security  policies  such  as  locking  their  workstations 
when  they  leave  their  desks,  guarding  customer  information 
and  not  sharing  passwords.  The  CEO  and  CTO  attend,  help¬ 
ing  draw  employee  interest. 

“We  want  employees  to  think  about  information  security 
both  from  the  large  corporate  perspective  as  well  as  their 
individual  responsibility.  The  threats  our  company  faces 
today  can  be  of  an  international  nature— hacker  attacks  can 
originate  from  anywhere  in  the  world,”  Van  Nostern  says. 

Keynote  speakers  have  included  Roger  Cressey,  who 
served  as  chief  of  staff  to  the  president’s  critical  infrastruc¬ 
ture  protection  board;  Mark  Doll,  U.S.  director  of  Ernst  & 
Young  Security  practice  and  author  of  Defending  the  Digital 
Frontier:  A  Security  Agenda;  and  Richard  Purcell,  a  consult¬ 
ant  and  former  Microsoft  chief  privacy  officer. 

“The  fairs  are  hugely  successful 
with  our  employee  population,”  says 
Allstate  CPO  Joanne  Derrig.  “They 
are  a  fun  way  of  bringing  home  an 
important  message.  I  will  never  forget 
the  ‘What’s  wrong  with  this  cubicle?’ 
game.  There  were  so  many  security 
and  privacy  violations;  it  was  our  ver¬ 
sion  of  Where's  Waldo?" 

The  fairs  also  offer  food  for 
thought,  Van  Nostern  says.  "We  gave 
out  fortune  cookies  with  security 
messages  such  as  ‘Misfortune  may 
follow  installation  of  outside  software 
on  your  workstation.'” 

-Kathleen  S.  Carr 


39% 

My  image  is 
evolving 


Converging 

Credentials 

CERTIFICATIONS  The  secu¬ 
rity  field’s  two  premier  certification 
groups— one  for  physical-related 
practices,  the  other  information 
security-related  issues— have 
agreed  to  recognize  one  another’s 
credentials. 

On  Sept.  30,  representatives  for 
ASIS  International  and  Interna¬ 
tional  Information  Systems  Security' 
Certification  Consortium,  or  (ISC)2, 
said  they  signed  a  memorandum  of 
understanding  committing  to 
endorse  one  another’s  professional 
certifications.  ASIS  has  adminis¬ 
tered  the  certified  protection  pro¬ 
fessional  (CPP)  certification  for  the 
past  27  years,  and  (ISC)2  has  been 
administering  the  certified  informa¬ 
tion  systems  security'  professional 
(CISSP)  and  the  systems  security' 
certified  practitioner  (SSCP)  certifi¬ 
cations  for  15  years. 

“This  is  the  first  step,”  says  James 
Duffy,  president  and  CEO  of 
(ISC)2.  “We’re  going  to  see  what 
other  types  of  benefits  we  can  pro¬ 
vide  to  each  other’s  membership.” 

ASIS  member  Dave  Kent,  vice 
president  and  CSO  of  Genzyme, 
says  the  agreement  is  a  mark  of 
progress.  “We  are  well  on  our  way 
to  a  converged  model  but  still  a  long 
way  from  having  the  majority  of 
businesses  and  institutions  recog¬ 
nize  the  value  of  placing  a  CSO 
on  their  most  senior  operating 
committee.”  -K.C. 


PHOTO  BY  JEFF  SCI0RTIN0 


December  2004  www.csoonline.com  13 


Wi 


Ron  Huberman, 
executive  director  for 
Chicago's  office  of 
emergency  services 
and  communications 


Smile,  You’re  on  a  Chicago  Camera 


HOMELAND  SECURITY  The  city  of 
Chicago  is  serious  about  homeland  security. 
In  September,  Mayor  Richard  M.  Daley 
announced  ambitious  plans  to  create  a 
network  of  2,250  surveillance  cameras 
throughout  Chicago.  While  providing  the 
means  to  beef  up  security,  the  network  will 
also  “redefine  how  911  works,"  says  Ron 
Huberman,  executive  director  for  the  office 
of  emergency  services  and  communications, 
who’s  heading  up  the  implementation. 

Today,  when  a  Chicagoan  calls  911,  the 
caller's  name  and  address  pop  up  on  the 
dispatcher’s  screen.  The  dispatcher  then 
relays  the  message,  and  the  caller’s  location, 
to  the  correct  department.  The  new  system 
will  provide  video  images  from  the  camera 
closest  to  the  caller's  location,  allowing 
responders  to  better  assess  the  situation 
and  provide  a  more  effective  response. 

Chicago  already  has  2,000  standalone 


videocameras  installed  throughout  the  city 
at  places  such  as  schools,  transit  stations 
and  intersections  as  well  as  at  O’Hare 
International  Airport.  An  additional  250 
cameras  will  be  added  at  undisclosed  loca¬ 
tions  deemed  “high-risk  terrorist  targets." 
Linking  the  cameras  into  a  single  network, 
tied  to  smart  software  that  can  monitor 
suspicious  activity  without  human  interven¬ 
tion,  will  bring  the  surveillance  system  to  a 
whole  new  level,  Huberman  says. 

The  complete  network  is  scheduled  to 
come  online  in  March  2006.  The  software 
will  be  developed  with  a  $5.1  million  grant 
from  the  Department  of  Homeland  Security. 
The  city  is  spending  another  $3.5  million  to 
buy  additional  cameras  and  to  build  a  new 
operations  center  capable  of  accessing  all  of 
the  camera  images,  Huberman  says. 

-Megan  Santosus 


Cowboys 

Against 

Terrorism 

AIRPORT  SECURITY 

Texas  lore  is  filled  with  cowboys 
and  rugged  individualism,  but  the 
state  is  also  home  to  patriotism 
and  community  spirit.  Just  wit¬ 
ness  Houston’s  Airport  Rangers. 
About  700  volunteers,  including 
off-duty  police  officers,  are 
approved  to  mount  their  horses 
and  patrol  the  perimeter  area  of 
the  11,000-acre  George  Bush 
Intercontinental  Airport. 

Faced  with  post-9/11  perime¬ 
ter  intrusion  concerns  and  obli¬ 
gations  to  create  a  shoulder- 
mounted  missile  mitigation  plan, 
airport  security  put  equestrians 
to  good  use.  Although  shoulder- 
mounted  missile  attacks  on  air¬ 
planes  have  not  occurred  in  the 
United  States,  incidences  in  other 


countries  have  been  widely  publi¬ 
cized.  Concerns  of  intrusion  into 
the  area  are  great  since  much 
of  the  airport  land  is  heavily 
wooded  and  isolated.  “We’ve 
made  a  very  unpopulated  area 
much  more  populated,”  says 
Mark  Mancuso,  deputy  director 
of  aviation  for  the  Houston 
Airport  System's  division  of 
public  safety  and  technology. 

The  Texas  program  is  similar 
to  the  program  at  Logan  Interna¬ 
tional  Airport  in  Boston,  where 
clam  diggers  assist  airport  secu¬ 
rity  efforts  on  nearby  beaches. 

Volunteers  must  undergo 
criminal  background  checks,  as 
well  as  training.  Once  approved 
for  duty,  they  are  given  ID  badges 
and  license  to  ride  during  the 
day.  They  must  carry  a  cell 
phone,  call  into  a  dispatch  center 
to  check  in,  and  report  suspi¬ 
cious  activity.  Mancuso  considers 
it  a  win-win  situation.  Although 
some  have  criticized  the  program 
as  inadequate,  Mancuso  says, 


“I  believe  in  layered  solutions  for 
security.  This  is  not  the  only  way 
to  secure  the  perimeter;  this  is 
just  one  of  our  programs.” 

But  there’s  no  denying  the  vol¬ 
unteers'  contributions.  Airport 


Rangers  have  alerted  authorities 
to  evidence  of  hunters,  as  well 
as  to  potential  vulnerabilities, 
such  as  holes  in  the  fences.  “It 
may  be  unusual  to  some,  but  to 
us  it  was  an  opportunity  to  incor¬ 
porate  the  community  into  our 
security  program,”  Mancuso 
says.  So  much  so  that  during  a 
peer  review  of  New  York's  JFK 
Airport  perimeter  intrusion  sys¬ 
tem,  Mancuso  encouraged 
involving  the  yachting  and  fishing 
community  in  security  efforts. 

-D/'ann  Daniel 


FROM  THE  DEPARTMENT  OF  TRAIN  YOUR  STAFF 


48tO  of  com  pa  n  ies  have 
not  provided  formal  security 
training  for  their  workforce. 


SOURCE:  HUMAN  FIREWALL  SECURITY  AWARENESS  INDEX 


14  www.csoonline.com  December  2004 


PHOTO  BY  MARC  POKEMPNER;  ILLUSTRATION  BY  KATY  LEMAY 


Advertisement 


Time  Zone  Tim 


If  it’s  Thursday,  it  must  be  Brussels.  Or  Bangkok.  Or  maybe 
Birmingham.  Come  to  think  of  it,  intrepid  road  warrior 
Time  Zone  Tim  often  has  to  look  at  the  local  phone 
directory  when  he  wakes  up  to  know  where  his  travels 
1  have  taken  him.  But  no  matter  where  in  the  world  Time 
Zone  Tim  may  be,  he’s  always  in  touch  with  the  information 
he  needs  thanks  to  some  innovative  tools  for  mobile  warriors 
like  him.  We  caught  up  with  Tim— where  else  but  on  his  way 
to  the  airport,  sipping  on  a  double  latte. 


As  usual,  you  are  on  the  road.  What  are  your  most  pressing 
needs  when  traveling  the  globe  on  business? 

The  first  thing  that  pops  into  my  mind  is  a  business-class  seat 
courtesy  of  a  free  upgrade,  but  if  you  mean  a  pressing  business  need, 
let  me  put  it  this  way.  When  I’m  with  customers  in  Rome  and  they 
need  the  current  status  of  pending  orders,  they  don't  care  that  the  data 
is  sitting  on  a  server  back  in  the  main  office  in  Phoenix.  I  need  secure, 
wireless  access  to  vital  information  and  I  can’t  be  jumping  through 
hoops  to  get  it. 


Has  email  been  a  problem  for  you? 

No,  not  since  my  company  began  working  with  Nokia  to  provide 
road  hounds  like  me  with  reliable  wireless  email.  It  used  to  be  that  a 
long  cab  ride  in  heavy  traffic  was  just  unused  downtime  for  me.  Now 
I  use  all  that  time  to  check  email  and  message  my  clients.  It  sure  beats 
trying  to  converse  with  a  cabbie  in  a  language  I  don’t  understand! 
With  wireless  email,  I’ll  bet  I  gain  another  hour  per  day  of  real 
productivity  given  all  the  running  around  I  do. 


Bill  Laberis  was  editor  in  chief  of 
Computerw orld  for  ten  years  (1986-1996).  He 
is  president  of  Bill  Laberis  Associates,  a  cus¬ 
tom  publishing  and  content  company 
(www.laberis.com).  His  columns,  Webcasts, 
supplements  and  magazines  are  well-known  and  respect¬ 
ed  throughout  the  high-tech  industry. 


Would  you  say  that  staying  connected  is  mission-critical  for 
you,  no  matter  where  you  are? 

Mission-critical— you  mean  like  the  way  proper  nutrition  is  to  the 
human  body?  For  people  like  me  staying  connected  is  everything.  Last 
week  in  Tokyo,  I  followed  a  competitor  into  my  client’s  office.  While 


my  competitor  was  trying  to  phone  someone  back  home  about  the 
availability  of  some  parts,  I  placed  the  order  right  there  and  won  the 
business.  Then  we  went  out  for  some  sushi.  Thanks,  Nokia! 

What  are  your  devices  of  choice  for  staying  in  touch? 

I  have  a  few,  depending  upon  my  needs.  My  Nokia  9500 
Communicator  gives  me  a  full  set  of  business-critical  applications,  fast 
network  connectivity,  and  mega  memory  storage,  sort  of  like  taking 
my  office  on  the  road.  And  my  smartphone  based  on  the  Nokia  Series 
60  software  platform  is  just  dynamite  for  voice  and  data  communica¬ 
tions.  I  use  it  for  email,  Internet  browsing,  and  occasionally— just 
occasionally— a  quick  game  of  hearts. 

What  are  the  most  important  features  of  these  devices? 

For  one  thing,  they  have  to  really  help  me  blast  through  my  work 
so  I  can  have  a  bit  of  time  for  one  of  my  favorite  hobbies— napping. 
Look,  you’re  talking  to  a  guy  with  five  thumbs  on  each  hand,  techni¬ 
cally  speaking.  All  my  access  devices  have  to  be  easy  enough  for  any 
normal  business  professional  to  use  to  quickly  communicate  with 
important  contacts  and  access  critical  data.  If  it  isn’t  real  user  friendly, 
chances  are  it  isn't  Nokia.  Oh  yeah,  our  IT  department  wants 
all  mobile  devices  to  be  both  cost-effective  as  well  as  future-proof. 
That’s  Nokia,  too. 

Traveling  as  you  do  and  needing  access  to  such  sensitive 
information,  aren’t  you  worried  about  data  security? 

Yes  and  no.  Yes  I  am  worried  about  what  might  happen  if  a 
competitor  or  just  about  anyone  else  were  able  to  get  to  the  same 
data  I  can.  That  would  be  bad  for  my  company  and  therefore  bad 
for  me.  But  no,  I'm  not  really  worried  because  Nokia  has  worked 
wonders  with  something  our  IT  guys  call  Secure  Sockets  Layer  or 
SSL,  as  well  as  with  firewalls  and  secure  VPNs  to  ensure  that  people 
like  me  practice  nothing  less  than  safe  computing,  anywhere  and 
any  time. 

Sounds  like  Nokia  is  an  excellent  traveling  companion  for  you? 

You  can  say  that  again.  Nokia  is  my  traveling  security  blanket.  Like 
a  first-run  in-flight  movie,  Nokia  makes  me  feel  good. 

One  final  question:  Why  all  the  watches? 

They  seem  to  sell  them  everywhere  I  go  these  days  and  I’m  a 
compulsive  shopper.  I  just  wish  one  of  them  would  work  as  well  as 
my  Nokia  mobile  technology. 


Learn  more  about  applying  a  mobility  strategy  to  your  business. 
Download  the  “Small  Changes,  Big  Impact”  white  paper. 

nokiaforbusiness.com 


Produced  by: 

>>NetworkWorld 

\JcU&TOnEDI^OujTIONSn 


NOKIA 

Connecting  People 


THE  SECURITY  BLOTTER 

Breaches,  scams  and  other  recent  incidents  of  note 


Boston  police  change  crowd-control 
tactics  after  fatality.  When  thousands  of 
baseball  fans  poured  into  Boston’s  streets 
on  the  night  of  Oct.  21  to  celebrate  the  Red 
Sox’s  American  League  pennant  win  over  the 
New  York  Yankees,  police  attempting  to  control 
the  crowd  fatally  injured  a  21-year-old  woman 
with  a  pepper-spray  pellet  gun  advertised  as 
nonlethal.  On  the  night  of  Oct.  27,  after  the  Red 
Sox  swept  the  St.  Louis  Cardinals  to  win  the 
World  Series  for  the  first  time  in  86  years, 
Boston  police  deployed  more  than  700  offi¬ 
cers — a  few  hundred  more  than  the  previous 
week— to  control  an  estimated  70,000  fans  cel¬ 
ebrating  in  the  streets,  The  Boston  Globe 
reported.  Police  also  worked  to  keep  several 
crowds  from  joining  into  one  mob.  And  instead 
of  pellet  guns,  officers  used  an  aerosol  pepper 
spray  in  trouble  spots.  The  night’s  revelry 
resulted  in  63  injuries,  mostly  minor,  and  39 
arrests  for  disorderly  conduct  and  similar 
offenses,  police  said. 

Infosec  tools  adopted  to 
prevent  consumer  ID  fraud. 

In  Britain,  28.4  million  credit 
and  debit  cardholders-about 
two  of  every  three  in  the  coun¬ 
try— now  own  cards  armed 
with  a  new  chip  and  personal 
identification  number.  The 
new  cards  are  being  issued  to 
combat  rising  fraud  trends: 

Credit  and  debit  card  fraud 
grew  nearly  20  percent 
between  January  and  July,  and 
crimes  involving  cards  lost  or  stolen  in  the  mail 
increased  51  percent,  according  to  the  Associa¬ 
tion  for  Payment  Clearing  Services,  a  British 
trade  group.  More  than  438,000  retail  outlets 
have  adopted  cashier  equipment  to  read  the 
new  cards. 

In  Massachusetts,  officials  unveiled  a  new 
driver’s  license  with  a  hologramlike  security 
feature  and  embedded  ultraviolet  state  seals  to 
prevent  ID  theft  and  underage  drinking. 

After  Russian  massacre,  a  soft-target 
warning  to  U.S.  schools.  Federal  law  enforce¬ 
ment  authorities  and  the  Education  Depart¬ 
ment  issued  two  security  warnings  in  October, 
including  one  sent  to  officials  from  eight  dis¬ 


tricts  cited  on  a  computer  disk  found  in  Iraq. 
That  disk  contained  photos  and  floor  plans 
about  schools  in  Georgia,  Florida,  Michigan, 
New  Jersey,  Oregon  and  California,  The 
Associated  Press  reported. 

The  Department  of  Education  e-mailed  a 
second  nationwide  warning  to  school  police, 
state  school  officers,  school  boards  and  groups 
representing  principals  advising  school  leaders 
to  watch  for  people  spying  on  their  buildings  or 
buses.  The  warning  follows  an  analysis  by  the 
FBI  and  the  Department  of  Homeland  Security 
of  the  September  siege  of  a  school  in  Beslan, 
Russia,  that  killed  nearly  340  people,  many  of 
them  children. 

Wardriving  spammer  convicted.  A  28-year- 
old  Hollywood  man  was  the  first  person  con¬ 
victed  under  the  Can-Spam  Act  of  2003— for 
using  other  people’s  wireless  Internet  accounts 
to  send  thousands  of  unsolicited  adult-themed 
e-mails.  In  a  California  court 
on  Sept.  27,  Nicholas 
Tombros  pleaded  guilty  to 
violating  the  federal  law  that 
prohibits  breaking  into  some¬ 
one  else’s  computer  to  send 
spam.  He  admitted  that  he 
went  "wardriving’’  around 
Venice  Beach,  Calif.,  with  a 
laptop  seeking  unprotected 
wireless  access  points  so  that 
he  could  send  the  e-mails, 
according  to  U.S.  Attorney 
Debra  W.  Yang.  Tombros, 
to  be  sentenced  Dec.  6, 
faces  up  to  three  years  in  prison. 

Rocket  warning  gives  Israelis  20  seconds 
to  find  cover.  Israel  Defense  Forces  have 
developed  a  system  to  give  residents  of  towns 
like  Sderot,  near  the  Gaza  Strip  border,  a 
20-second  warning  that  a  Palestinian  rocket 
attack  is  under  way.  The  towns  have  been  tar¬ 
geted  by  more  than  325  rocket  attacks  in  the 
past  four  years,  killing  four  people  between 
July  and  mid-October,  The  Washington  Post 
reported.  Israel  launched  a  military  operation 
in  Gaza  on  Sept.  28  to  try  to  stop  the  attacks. 
Residents  told  the  paper  the  loudspeaker 
warnings  could  give  schoolchildren  time  to 
find  cover. 


Police  showed  up  in  force 
in  Boston  as  the  Red  Sox 
clinched  the  World  Series. 


Top  10  Surveillance 
Indicators 


According  to  the  Department  of  'Home¬ 
land  Security  website,  the  following 

indicators  suggest  possible  terrorist 

planning. 

1.  Prolonged  interest  in  security  measures, 
personnel,  entry  points  and  access  controls, 
or  perimeter  barriers  such  as  fences  or  walls. 

2.  Behavior  such  as  staring  or  quickly  looking 
away  from  personnel  or  vehicles  entering  or 
leaving  designated  facilities  or  parking  areas. 

3.  Observation  of  security  reaction  drills  or 
procedures. 

4.  Increase  in  anonymous  telephone  or  e-mail 
threats  to  facilities  in  conjunction  with 
suspected  surveillance  incidents— indicating 
possible  surveillance  of  threat  reaction 
procedures. 

5.  Surveillance  by  two  or  three  individuals  on 
foot. 

6.  Mobile  surveillance  using  bicycles,  scooters, 
motorcycles,  cars,  trucks,  SUVs,  limousines, 
boats  or  small  aircraft. 

7.  Prolonged  static  surveillance 
using  operatives  disguised  as 
panhandlers,  shoe  shiners, 
food  or  flower  vendors,  news 
agents  or  street  sweepers  not 
previously  seen  in  the  area. 

8.  Discreet  use  of  still  cameras,  video  recorders 
or  note-taking  at  nontourist  locations. 

9.  Use  of  multiple  sets  of  clothing  and  ID. 

10.  The  use  of  sketching  materials  (such  as 
paper  and  pencils). 


SOURCE:  DHS 


16  www.csoonline.com  December  2004 


PHOTO  BY  AP/WIDE  WORLD  PHOTOS:  ILLUSTRATION  BY  KATY  LEMAY 


More  colleges  and  universities  are 
graduating  to  Software  House. 


Our  fully  scaleable  security  management  systems  are  used  at  educational  institutions 
across  the  country.  Software  House  solutions  give  you  real-time  control  over  your 
entire  access  system  and  integrate  with  a  wide  variety  of  other  systems.  Take  control 
with  the  leader  in  security  management  solutions  —  Software  House. 

•  OCURE®  800/8000  security  management  solution 

•  iSTAR™  intelligent  controllers  with  DHCP  support 

•  Solid  integration  platform  for  streamlined  control  of  access,  digital  video,  ERP  HR 
systems,  asset  management  and  more 

www.swhouse.com 


OCURE  800  Security  Management  System 


DISASTER  RESEARCH  Kathleen  Tier¬ 
ney,  professor  of  sociology  at  the  University 
of  Colorado  at  Boulder,  knows  that  a  lot  of 
people  believe  the  Sept.  11,  2001,  terrorist 
attacks  changed  the  world.  She  also  knows 
they  are  wrong— at  least  when  it  comes  to 
the  way  individuals  respond  to  disasters. 
Tierney  directs  the  National  Hazards 
Research  and  Applications  Information 
Center,  which  studies  the  sociological  effects 
of  disasters.  She  notes  the  study  of  individu¬ 
als’  responses  to  crises  has  been  ongoing  for 
five  decades.  She  spoke  with  Departments 
Editor  Kathleen  S.  Carr  about  the  field  of 
disaster  research,  the  lessons  of  9/11  and 
how  CSOs  can  start  preparing  for  the  worst. 

CSO:  How  did  disaster  studies  originate? 
Kathleen  Tierney:  The  field  of  disaster 
research  in  the  United  States  is  more  than 
50  years  old.  Studies  of  social  behavior 
under  disaster  conditions  was  saturated 
after  World  War  II.  The  government  was 
concerned  about  what  would  happen  to 
communities  in  the  event  of  nuclear  war. 
We’ve  studied  disasters  of  all  kinds,  how 
people  behave  in  those  disasters  and  how 
organizations  respond. 

Did  you  see  anything  new  or  unique  in 
the  sociological  response  to  9/11? 

There  was  nothing  new  in  the  World  Trade 
Center  response.  Much  of  what  we  saw  was 


exactly  what  we’d  expect.  The  issue 
wasn’t  what  was  new,  but  what  was 
confirmed  in  terms  of  issues  of  prepared¬ 
ness.  The  commonalities  to  other 
catastrophic  events  were  a  mass  conver¬ 
gence  of  emergency  response  personnel 
and  problems  of  communication.  We  know 
that  preexisting  conditions  and  the  lack  of 
organization  among  the  responders  affected 
the  response.  Fire  and  police  weren’t  collab¬ 
orating.  There  was  a  lack  of  unified  com¬ 
mand.  The  fact  that  people  didn’t  panic  in 
the  towers,  that  they  helped  one  another, 
was  no  surprise.  All  of  this  is  consistent 
with  what  we’ve  seen  in  other  crises. 

Was  9/11  the  catalyst  for  CSOs  to  explore 
the  effects  of  disaster  on  people? 

Actually,  something  happened  around  Y2K 
to  spur  this  activity.  Companies  realized, 
when  faced  with  the  millennium  bug,  that 
disaster  preparedness,  security  and  risk 
management  were  fundamental  to  the  sur¬ 
vival  of  corporations.  It  was  no  longer  an 
IT  problem  but  a  corporate  problem.  Y2K 
and  9/11  brought  about  changes  in  the 
way  CEOs  look  at  IT  security  and  disaster- 
related  functions  within  their  organizations. 

What  can  CSOs  do  to  prepare  their 
organizations  for  a  disaster? 

First,  assess  the  capabilities  of  your  work¬ 
force.  Do  you  have  employees  who  have  first 


aid  training  or  who  are  part  of  a  community 
emergency  response  team?  Find  out  who 
has  a  medical  background,  who  knows  CPR, 
or  who  is  trained  in  search  and  rescue. 

Second,  are  people  willing  to  take  on  pre¬ 
paredness  tasks?  Shift  the  emphasis  away 
from  what  you’re  going  to  do  for  people  to 
what  people  are  going  to  do  for  themselves. 
The  first  responders  in  all  emergencies  are 
ordinary  people.  Until  we  want  to  put  a 
police  officer  or  firefighter  in  every  cubicle, 
home  and  metro  train,  ordinary  people  will 
still  be  the  first  responders.  Fook  at  your 
workforce  as  the  key  to  ensuring  security. 

How  can  CSOs  best  educate  themselves 
to  understand  how  their  employees  might 
respond  in  a  disaster? 

There  is  a  large  body  of  solid  work  out 
there  that  addresses  most  of  the  key  issues 
that  any  security  officer  would  want  to 
inquire  about.  Our  center,  founded  in  1976, 
is  a  clearinghouse  for  information  on 
human  behavior  ( www.colorado.edu/ 
hazards).  There’s  also  the  Disaster  Research 
Center  at  the  University  of  Delaware 
( www.udel.edu/DRC ).  ■ 

For  more  on  securing  your  workforce  during 

a  disaster,  read  this  month’s  Security  Coun¬ 
sel  column,  “Up  and  Running”  on  Page  22. 


terspnaiiy  involved  iry  preparedness 


•  SOURCE:  N.Y.  ACADEMY  OF  MEDICINE 


18  www.csoonline.com  December  2004 


Enterprise 


It  is  one  of  the  most  lethal  threats  that  your  enterprise  faces  today. 
Spyware  steals  bandwidth,  halts  productivity  and  puts  your 
intellectual  property  in  harm’s  way.  Webroot  Spy  Sweeper  Enterprise 
offers  real-time  protection  by  identifying  and  eradicating  spyware 
across  your  organization.  To  find  out  what  spyware  is  preying  on 
you,  run  a  free  network  scan  at  www.webroot.com/caught  or 
contact  us  at  866.254.8147 


Webroot* 

Software:,  Inc. 


webroot’ 

Spy  Sweeper 


The  Who,  What  and  Why  of  Washington 

Top  Billing 

NEWS  FROM  INSIDE  THE  BELTWAY 


Biometrics  by  Fire 

From  iris  scans  to  fingerprints,  three  DHS  pilot  programs  have  created 
a  high-profile  test  bed  for  biometrics  technology  By  Al  Sacco 


THE  BIOMETRICS  COMMUNITY  had  been 
waiting  for  a  moment  like  this.  “Biometrics  is 
at  the  forefront  in  our  agenda  for  homeland 
security,”  declared  Asa  Hutchinson,  the 
Department  of  Homeland  Security’s  under¬ 
secretary  for  border  and  transportation  secu¬ 
rity,  at  the  2004  Biometric  Consortium 
Conference. 

He  wasn’t  exaggerating. 

DHS  has  rolled  out  three 
major  pilot  programs  that  rely 
heavily  on  biometric  technol¬ 
ogy.  The  programs  are  grab¬ 
bing  the  eyes  of  advocates  and 
activists  alike  because  their 
successes— or  lack  thereof— are 
sure  to  influence  the  adoption 
of  the  technology  nationwide. 

The  best-known  program  is 
the  U.S.  Visitor  and  Immigrant  Status  Indica¬ 
tor  Technology  (US-Visit)  border  security  pro¬ 
gram.  US-Visit,  which  is  in  place  at  115  major 
airports  and  14  seaports,  requires  that  foreign 
visitors  have  their  index  fingers  scanned  and 
digital  photographs  taken  when  they  enter  the 
country.  This  information  is  used  to  confirm 
the  individual’s  identity  and  also  is  checked 
against  a  database  of  known  criminals  and 
suspected  terrorists. 

Meanwhile,  the  Transportation  Security 
Administration’s  Registered  Traveler  program 
has  been  rolled  out  at  five  major  airports.  This 
program  gives  known  travelers  a  fast  lane 
through  airport  security,  in  hopes  of  allowing 
screeners  to  focus  on  unknown  travelers  who 
pose  greater  risks.  The  five  airports  are 
deploying  different  technologies  and  configu¬ 
rations  to  determine  what  works  best.  For 
instance,  some  systems  wall  use  both  facial 
recognition  and  iris-scan  technologies,  while 
others  will  require  only  one  or  the  other. 

Finally,  the  seven-month  prototype  phase 


of  the  TSA’s  Transportation  Worker  Identifi¬ 
cation  Credential  (TWIC)  program  was 
launched  in  August.  The  TWIC  is  a  smart  card 
with  an  embedded  photograph  that  is  used  to 
confirm  the  worker’s  identity.  The  goal  is  to 
prevent  unauthorized  persons  from  gaining 
access  to  secure  areas  by  posing  as  employees. 

TSA  expects  to  issue  cards  to 
150,000  workers  from  ground, 
aviation,  rail  and  maritime 
facilities  in  six  states. 

M.  Paul  Collier,  executive 
director  of  the  nonprofit  Bio¬ 
metric  Foundation,  says  this  is 
a  step  in  the  right  direction. 
“Biometrics  really  give  you  two 
things:  One  is  security;  the 
other  is  convenience,”  he  says. 
“Biometrics  are  an  essential 
tool  in  any  personal  authentication  scenario.” 

Privacy  rights  advocates,  however,  are 
increasingly  wary  of  data  being  mishandled 
or  misused.  They  are  concerned,  for  instance, 
that  information  collected  for  legitimate  usage 
may  eventually  be  used  for  illegal  means, 
leading  to  identity  fraud. 

But  the  government  has  plans  to  expand 
the  programs.  At  a  recent  conference  in  San 
Francisco,  Assistant  Secretary  of  Defense  for 
Homeland  Defense  Paul  McHale  challenged 
the  biometrics  industry  to  develop  additional 
technologies,  according  to  The  San  Francisco 
Chronicle.  “Our  enemies  are  brutal,  clever 
and  no  longer  in  uniform,”  he  said.  “I  believe 
that  in  identifying  these  21st  century  enemies, 
biometrics  can  play  an  extremely  important 
role.”  ■ 


News  from  Washington 

To  read  more  about  what’s  happening  in  Washington,  D.C., 
visit  our  website  at  www.csoonline.com/wonk. 


In  late  October,  President  George  W. 
Bush  put  his  John  Hancock  on  the 
FY  2005  Homeland  Security 
Appropriations  Act.  The  act  provides 
$28.9  billion  in  net  discretionary  spend¬ 
ing  for  the  Department  of  Homeland 
Security  and  represents  a  6.6  percent 
increase-or  $1.8  billion— over  FY04 
funding.  Including  all  mandatory  and 
fee-funded  programs,  a  total  of 
$40.7  billion  will  be  at  the  department’s 
disposal  in  FY05.  The  funding  will  go 
toward  strengthening  border  and  port 
security,  enhancing  biodefense  and 
improving  aviation  security,  among 
other  initiatives. 

The  Strategy  Targeting  Organized 
Piracy  (STOP)  program  was 
announced  in  early  October,  advancing 
the  Bush  administration’s  national 
crackdown  on  theft  of  intellectual  prop¬ 
erty  and  the  sale  of  fake  designer 
brands  and  other  counterfeit  products. 
The  administration  claims  that  the  sale 
of  bootleg  products  is  estimated  to 
account  for  up  to  7  percent  of  global 
trade  and  cost  legitimate  rights  holders 
around  the  world  billions  of  dollars 
annually.  The  departments  of  Homeland 
Security,  Justice  and  Commerce  will 
participate. 

When  camera  phones  exploded  into  the 
mainstream,  the  issue  of  privacy  rights 
concerning  when  these  devices  can,  and 
should,  be  used  rushed  into  the  picture 
with  equal  gusto.  The  Internet,  com¬ 
bined  with  cell  phone  cameras,  PDAs 
and  a  host  of  other  miniature  lenses, 
has  turned  furtively  obtaining  video  into 
a  sport  for  many  voyeurs.  The  Video 
Voyeurism  Prevention  Act  of 
2004,  which  has  passed  both  the 
Senate  and  the  House  of  Representa¬ 
tives,  prohibits  the  photography  of  cer¬ 
tain  sections  of  an  individual’s  naked 
body  or  undergarments  without  that 
person’s  consent.  Individuals  who  vio¬ 
late  the  law  could  be  fined  or  impris¬ 
oned  for  up  to  a  year. 


20  www.csoonline.com  December  2004 


PHOTO  LEFT  BY  CORBIS;  TOP  BY  GETTY  IMAGES 


CISA 


CERTIFIED  IN  FORMATION 


SYSTEMS  AUDITOR 


CERTIFIED  INFORMATION 


SECURITY  MANAGER 


For  more  than  30  years  ISACA  has  been  certifying 
professionals  with  its  flagship  certification,  CISA 
(Certified  Information  Systems  Auditor'1),  the  globally 
accepted  standard  among  IS  audit,  control  and 
security  professionals.  In  2002,  ISACA  introduced 
CISIVT  (Certified  Information  Security  Manager"), 
a  groundbreaking  credential  specifically  designed  for 
information  security  professionals  who  manage  an 
information  security  function  of  an  enterprise  or  have 
information  security  management  responsibilities. 
Together  these  programs  have  certified  over 
40,000  people  worldwide. 


International  exposure,  recognition  of  advanced 
job  skills,  participation  with  a  global  leader  in 
IT  certification-all  of  these  benefits  are  obtained 
through  achievement  of  an  ISACA  certification. 
For  more  information,  visit  the  ISACA  web  site  at 
www.isaca.org/certification. 


M  Information  Systems 
H  Audit  and  Control 


Association 


Up  and  Running 

John  Medaska,  vice  president  of  business  development  at 
Relational  Technology  Services  and  president  of  the  Tampa 
Bay  InfraGard,  answers  readers’  questions  about  business 
continuity 


Q:  I  must  prepare  my  first  structured  walk-through  exercise  of  the  emer¬ 
gency  management  and  disaster  recovery  plan.  I  want  to  incorporate  both 
plans  into  the  exercise.  Please  give  me  suggestions  to  make  the  exercise 
powerful,  motivating  and  informative.  Can  you  ever  give  too  much 
information? 

A:  It  is  an  aggressive  endeavor  to  incor¬ 
porate  both  emergency  management  and 
disaster  recovery  into  one  exercise,  but 
there  are  great  benefits.  By  bringing  these 
players  together,  I  believe  that  you  will 
uncover  challenges  and  benefits  while 
determining  if  you  have  the  buy-in 
required  for  success.  The  key  to  these 
exercises  is  preparation.  Define  what  you 
are  trying  to  accomplish.  The  focus  of  the 
exercise  is  planning,  but  there  are  indi¬ 
rect  benefits— including  driving  the 
importance  of  these  plans  at  the  execu¬ 
tive  level,  educating  the  participants 
about  the  benefits  and  generating  excite¬ 
ment.  The  scripting  is  very  important  to 
make  sure  that  the  trigger  points,  hand- 
offs  and  overall  interaction  are  covered. 

Make  sure  your  handouts  are  professional  and  focused.  I  would  also  suggest  that 
if  you  are  running  the  exercise,  there  should  be  another  person  focused  on  keep¬ 
ing  the  minutes,  questions  and  action  items.  These  planning  sessions  and  exer¬ 
cises  are  the  most  beneficial  when  they  identify  areas  for  improvement.  If  you 
are  directing  the  exercise,  have  additional  resources  to  assist  you.  The  com¬ 
ments,  questions  and  assignments  need  to  be  accurate  and  recorded. 

I  believe  that  giving  participants  too  much  information  can  distract  from 
the  agenda  and  the  purpose  of  the  meeting.  Have  enough  information  to 
deliver  your  message,  but  keep  the  group— and  the  exercise— focused. 

Q:  You’re  in  a  market  that  saw  three  hurricanes  in  six  weeks.  In  terms  of 
ROI,  did  your  company  and  the  clients  you  serve  generally  see  a  greater 
risk-reward  benefit  from  a  disaster  recovery  strategy  or  from  a  business 
continuity  strategy? 

A:  I  believe  that  the  overall  return  on  investment  was  directly  proportional  to 
the  investment  and  preparation.  As  Florida  was  hit  by  back-to-back  storms  for 


two  months,  we  saw  that  companies  that  had  focused 
solely  on  disaster  recovery  planning— without  including 
plan  for  full  business  continuity— were  affected  more. 
What  was  clear  was  the  fact  that  the  unfortunate  repe¬ 
tition  increased  the  focus  on  plans  for  disaster  recovery 
and  business  continuity.  The  storms  also  gave  teams 
practice  that  is  generally  not  available. 

Q:  How  large  and  diverse  should  a  continuity  crisis 
management  team  be?  What  are  the  key  roles? 

A:  The  crisis  management  team  should  encompass  all 
areas  within  the  enterprise:  C-level  management,  IT, 
operations,  HR,  legal,  contracts,  shipping  and  others. 
There  should  be  leaders  within  each  of  these  areas  and 
clearly  defined  alternates.  The  crisis  management  team 
should  consist  of  individuals  who  are  best  suited  for  the 
job,  not  the  highest-level  managers  within  each  area. 

The  important  roles  are  these:  Who  handles  the  com¬ 
munication  internally  and  externally?  Who  can  handle 
budget  issues  quickly  and  efficiently  dur¬ 
ing  a  crisis?  Who  covers  IT  and  data? 
And,  of  course,  the  CEO. 


Q:  When  deciding  how  to  centralize 
security  into  an  organization  led  by  a 
security-dedicated  officer,  what  do 
you  think  is  the  single  best  argument 
for  including  traditional  IT-business 
continuity  in  this  consolidation? 

A:  By  “security-dedicated  officer”  I 
would  assume  a  CSO  or  equivalent  sits 
in  that  leadership  position.  The  CSO 
should  be  focused  on  all  aspects  of  the 
protection  and  ongoing  availability  of 
data.  The  processes  that  are  involved  in 
security  bridge  the  gap  between  IT- 
related  functions  such  as  traditional 
authentication,  intrusion  detection  and  recovery  activi¬ 
ties  from  all  types  of  security  incidents.  Business  conti¬ 
nuity’s  foundation  can  be  found  in  the  day-to-day  focus 
of  the  CSO.  Business  continuity  management  requires 
leadership,  budgeting  and  business  activities  that 
engage  all  aspects  of  the  company.  If  the  CSO  has  been 
given  the  ability  and  authority  to  oversee  the  corporate 
protection  of  data,  he  can  champion  traditional  IT- 
business  continuity  with  the  support  of  the  other  busi¬ 
ness  unit  executives.  ■ 


Ask  Your  Peers 


Have  a  security  topic  to  suggest  or  an  expert  you’d  like  to  hear  from?  Send 
your  thoughts  to  Departments  Editor  Kathleen  S.  Carr  at  kcarr@cxo.com.  See 
what  your  peers  are  discussing  at  www.csooniine.com/counsel. 


22  www.csoonline.com  December  2004 


Over  a  million  IT  Professionals 
are  getting  ongoing 
security  guidance 


Are  you? 


Millions  of  your  peers  are  turning  to  the  Security  Guidance  Center  for  the  latest  in  security.  By  visiting  regularly, 
they  get  the  tools,  guidance,  and  training  needed  for  better  protection  against  viruses  and  other  security  threats. 
Visit  microsoft.com/security/IT  today  and  see  for  yourself  the  newest  additions,  including: 


Microsoft  '  Windows'  XP  Service  Pack  2  with  Advanced  Security  Technologies  Download  it  for  free 
and  evaluate  the  latest  updates  for  increased  system  control  and  proactive  protection  against  security  threats. 


Free  Online  Seif  Assessment  Complete  this  free,  Web-based  self-assessment  test  to  help 
you  evaluate  your  organization's  security  practices,  and  identify  areas  for  improvement. 


Free  Updates  and  E-mail  Alerts  Stay  on  top  of  the  latest  security  issues  quickly  and 
easily  by  signing  up  for  free  Microsoft  Security  Communications. 


Free  Security  Tools  React  more  effectively  to  potential  security  threats.  Take  advantage  of 

free  tools  and  technologies  like  the  Microsoft  Baseline  Security  Analyzer  and  Software  Update  Services. 


Go  today  to  microsoft.com/security/IT 


©  2004  Microsoft  Corporation.  All  rights  reserved.  Microsoft  and  Windows  are  either  registered  trademarks  or  trademarks  of 
Microsoft  Corporation  in  the  United  States  and/or  other  countries. 


Microsoft 


how  Time  fpr 

Security 


Sure,  image  isn’t 
everything.  But  in 
security,  projecting  the 
right  image  helps  get 

the  job  clone. 
By  Sarah  D,  Scalet 


The  magazine  you  hold  in  your  hands  started  as  what 

we  thought  would  be  a  lighthearted  way  to  ease  out 

of  2004:  the  image  issue.  Our  idea  was  to  explore  the  role  of 
appearances  in  security  and  determine  how  the  profession  needs  to 
make  itself  over  in  order  to  get  its  message  heard.  To  demonstrate 
our  point,  we  decided  to  give  ourselves  a  temporary  makeover  in  the 
spirit  of  Cosmo  and  Men’s  Health— the  kinds  of  magazines  that  do 
image  best. 

Think  security  is  too  serious  a  matter  for  such  fluffery?  Think 
again.  It’s  precisely  because  security  is  so  important  that  we  need  to 
pay  attention  to  how  it’s  perceived. 

The  more  we  talked  with  security  leaders,  the  more  we  realized 
that  image  is  critical  to  everything  the  CSO  does.  Gavin  de  Becker, 
author  of  the  book  The  Gift  of  Fear,  is  especially  eloquent  on  the 
subject.  “There  is  an  element  of  appearances  to  security,  and  I  don’t 
mean  this  in  an  unfavorable  way,”  says  the  famously  unflappable 
de  Becker,  who  has  guarded  his  image  as  closely  as  the  Hollywood 
stars  he  is  hired  to  protect.  “Precautions  that  are  expected  to  deter 
often  draw  some  of  their  effectiveness  from  appearing  to  be  this  or 
that.  Effective  security  professionals  know  that  demeanor  and 


{ 


n 


o  d  u 


o  n 


appearances  are  a  language  that  can  communicate  confidence  far 
more  keenly  than  mere  words.” 

Right  now,  however,  security  has  an  image  problem.  “We  are 
increasingly  seeing  a  security  apartheid,”  says  Thornton  May,  long¬ 
time  IT  consultant  and  observer.  “Security  professionals  are  increas¬ 
ingly  isolated  from  the  organizational  mainstream.” 

May  is  pessimistic  about  the  CSO’s  propensity  for  change.  But  we 
truly  believe  that  the  most  successful  among  you  are  trying  to  make 


24  www.csoonline.com  December  2004 


J 


4 


Howard  Schmidt, 

rVv.J 

CISO  of  eBay,  has 
sharpened  up  his 
image  (see  Page  44). 


I! 


1 


!tf  •  i> 


Id 


over  yourselves  and  your  profession,  the  better  to  inspire  confidence 
and  authority.  Once  an  assortment  of  stereotyped  "geeks”  and 
“guards”  who’d  been  promoted  up  a  few  tax  brackets,  CSOs  are  now 
struggling  to  become— and  be  recognized  as— businessmen  and 
women  who  take  a  strategic  view  of  risks  across  the  enterprise. 

This  effort  is  an  image  battle  as  much  as  anything  else,  and  the 
change  is  happening  on  three  levels.  On  the  first  level  are  CSOs 
themselves— you— who  are  learning  that  to  be  taken  seriously  as 
executives,  you  have  to  act  like  your  peers  from  other  parts  of  the 
business.  It  might  seem  obvious,  but  you  do  have  to  talk  like  a  busi¬ 
nessperson.  You  do  have  to  dress  like  a  businessperson.  Heck,  you 
might  even  decide  you  need  a  new  haircut.  Just  look  at  what  eBay’s 
Howard  Schmidt,  one  of  the  country’s  most  prominent  CISOs,  has 
done  to  his  look  over  the  years.  (Schmidt  explains  why  in  “Mr. 
Schmidt  Goes  to  Barneys”  on  Page  44.) 

Closely  tied  with  the  CSO’s  personal  image  is  a  second  level:  how 
other  business  executives  and  their  staffs  view  the  security  depart¬ 
ment  and  its  leader.  This  perception  is  fundamental  to  any  security 
awareness  program  and  the  key  to  selling  any  security  initiative  to 


the  rest  of  the  business.  Michael  Assante, 
CSO  of  American  Electric  Power,  is  can¬ 
did  about  the  kind  of  forethought  that 
goes  into  this  transformation.  “I  knew 
that  image  was  going  to  be  an  important 
part  of  being  able  to  have  success,”  says 
Assante,  who  two  years  ago  became  the 
first  person  at  AEP  to  have  control  over 
both  corporate  and  information  security. 
“I  overthought  about  everything.” 

Assante  concluded  that  he  needed  to 
distance  himself  from  his  military  roots 
and  incorporate  himself  into  the  busi¬ 
ness,  as  the  leader  of  a  new  department 
called  enterprise  risk  management.  He 
does  part  of  this  through  the  way  he 
dresses.  (See  “Secrets  of  Their  Success,” 
Page  26.)  But  the  strategy  runs  much 
deeper.  “Yes,  there’s  a  guard  force  com¬ 
ponent,”  he  says  of  the  security  depart¬ 
ment.  “Yes,  there’s  a  law  enforcement 
component.  But  I’ve  really  worked  to 
drive  that  out  of  our  image.  I  make  sure 
that  when  we  talk  to  folks,  we’re  under¬ 
standing  their  business  processes.  And 
then,  when  we  sit  down  to  talk  about 
security  exposures,  we  present  a  strong 
business  case.”  Assante  thinks  the 
approach  has  worked,  because  now  peo¬ 
ple  ask  for  his  advice  on  other  kinds  of 
risks.  If  Schmidt  is  post-geek,  then 
Assante  is  post-guard. 

Finally,  the  third  level  of  this  transfor¬ 
mation  has  to  do  with  the  way  the  corporation  as  a  whole  makes 
security  part  of  its  image.  This  is  the  endgame,  the  payoff,  and  wre’re 
beginning  to  get  there— but  just  barely.  So  far,  in  fact,  most  of  the 
companies  that  are  marketing  their  security  (security  vendors  aside) 
are  ones  that  have  been  forced  to,  such  as  Microsoft.  (See  “Security 
Sells,”  Page  46,  for  more.) 

Skeptics  could  argue  that  their  actions  are  just  lip  service.  There’s 
an  entrenched  mistrust  in  security  of  things  that  are  done  just  for 
looks— wdiat  author  Bruce  Schneier  likes  to  call  “security  theater.” 
But  we’re  not  talking  about  doing  things  because  they  look  good. 
We’re  talking  about  making  things  look  as  good  as  they  are. 

“Image  is  100  percent  important,”  says  Schneier,  author  of 
Beyond  Fear  and  a  prominent  observer  of  the  security  industry’s 
evolution.  “Otherwise  you’re  not  listened  to;  you’re  not  taken  seri¬ 
ously;  you  can’t  get  the  budget.  If  you  don’t  deal  with  everything 
around  the  politics  and  socialization,  you  never  get  to  the  actual 
security.” 

In  other  words,  it’s  not  style  over  substance. 

It’s  substance,  with  style,  “ft 


PHOTO-ILLUSTRATION  BY  STEPHEN  WEBSTER;  PHOTO  BY  RON  AIRA 


December  2004  www.csoonline.com  25 


Michael  Assante  doesn’t  just  wear  snappy 
suits.  He  wears  them  with  a  purpose.  “In 
some  ways,  when  I  wake  up  in  the  morning, 
I  think  about  how  I’m  going  to  dress 
depending  on  what  I’m  going  to  do,”  says 
Assante,  CSO  of  American  Electric  Power 
(AEP). 

Assante— who  at  age  33  is  the  first  person 
at  the  Ohio-based  Fortune  500  company 
to  have  custody  of  both  corporate  and  infor¬ 
mation  security— has  bigger  concerns  than 
which  tie  to  wear  on  a  Monday  morning. 
But  the  right  clothes  on  the  right  day,  he 
says,  give  him  a  head  start  in  establishing 
credibility. 

“I’ve  seen  some  security  guys  who  roll  up 
their  sleeves  to  show  off  their  physiques, 
or  there’s  a  cargo  pants  kind  of  feel  to  their 
pants,”  Assante  says.  “Or  the  typical  uni¬ 
form  is  gray  pants  and  a  blue  blazer.  You 
look  like  you  came  out  of  law  enforcement.” 
Assante,  who  has  a  background  both  as  an 


26  www.csoonline.com  December  2004 


It  takes  more  than  knowledge 
and  experience  to  excel.  Five 
top  CbOs  share  their  tips  for 
putting  forward  a  positive 
message— in  appearance, 

word  and  deed. 


mm  r 


THE  CAREFUL 
DRESSER 


Michael  Assante’s  wardrobe 
helps  him  project  the  right 
image  for  the  situation. 


Management  Tips 


intelligence  officer  and  a  security  entrepre¬ 
neur,  wants  to  make  sure  that  he  is  seen  as  a 
businessman,  not  a  cop.  So  when  he  started 
the  job  at  AEP,  he  deliberately  decided  to 
dress  for  work  according  to  the  day’s  situation. 

Sure,  if  he’s  been  pulling  all-nighters  during 
an  investigation  with  law  enforcement,  he 
might  wear  a  black  suit  with  a  black  shirt.  But 
if  he’s  presenting  to  the  board,  he’ll  probably 
wear  a  lighter  colored  suit.  And  if  he’s  in  a  day¬ 
long  strategy  meeting  with  other  executives 
whom  he  knows  will  be  in  business  casual,  he 
makes  sure  to  match  their  style.  He’s  even  try¬ 
ing  to  teach  his  top  lieutenants  how  to  dress  for 
the  occasion.  On  this  score,  he  often  leads  by 
example,  but  sometimes  he’ll  bring  it  up  with 
them  before  an  important  meeting. 

Wait  a  second!  A  CSO  talking  with  his  col¬ 
leagues  about  business  casual?  “If  I  walked 
in  wearing  a  tie,  it’s  a  bad  fit,”  Assante 
explains.  “All  of  a  sudden  it  sends  a  bad  mes¬ 
sage:  I’m  not  one  of  these  people,  I’m  differ¬ 
ent.  And  they  start  treating  you  different.” 

The  same  goes  when  he  visits,  say,  a  coal- 
fired  power  plant.  On  that  day,  he’d  wear  steel¬ 
toed  boots,  cargo  pants  and  a  polo  shirt,  along 
with  his  ear  protection  and  eye- 
protection-quality  sunglasses.  “If 
I  wore  a  business  suit  at  a  facility, 

I’d  be  laughable.  I’d  lose  credibil¬ 
ity”  with  people  wiio  work  at  that 
facility  every  day,  he  says,  adding, 

“I  always  think  about  what’s  my 
environment,  who’s  my  audience, 
and  what’s  the  image  I  want  to 
portray.” 

Even  so,  Assante  always  keeps 
his  military-style  crew  cut  and 
clean-shaven  face,  and  he  can’t 
help  but  tuck  in  his  shirt  like  a  mil¬ 
itary  guy— pulling  in  the  sides  and 
tucking  them  under  so  that  the 
shirt  lies  flat  across  his  chest. 

“The  trick  is  to  try  to  keep  both 
images:  the  national  security  leader 
image  and  the  corporate  image,” 
he  says.  “And  it’s  really  powerful 
when  you  can  keep  both.  I  know 
that  the  image  has  been  successful 
because  I’ve  been  asked  to  give 
advice  on  other  types  of  risk.” 

-Sarah  D.  Scalet 


THE  LINGUIST 

Robert  Garigue  studies  his 
colleagues’  styles  so  that  he  can 
speak  security  in  their  native 
tongues. 

Robert  Garigue  answers  his  phone  in  French, 
but  when  the  speaker  says  “hello”  instead  of 
“bonjour,”  his  words  easily  flow  into  English. 
Juggling  those  two  languages  is  the  easy  part 
of  his  job.  The  language  barriers  that  he  wor¬ 
ries  about  instead  are  those  of  the  many  tribes 
that  coexist  at  the  Bank  of  Montreal,  the  Global 
500  company  of  which  Garigue  is  CISO. 

“Every  culture  has  its  own  jargon,  because 
to  be  effective,  you  reduce  the  message  to  the 
simplest  components,”  Garigue  says.  “But  only 
people  in  that  culture  understand.  If  I  don’t 
tell  you  what  a  VA  [vulnerability  assessment] 
is,  it  doesn’t  mean  anything  to  you.” 

Ask  Garigue  about  the  image  a  leader  proj¬ 
ects,  and  he  slips  into  a  complicated  explanation 
of  semiotics— that  is,  the  study  of  language. 
There’s  syntax  (the  structure  of  language), 


semantics  (the  meaning  of  language)  and 
pragmatics  (how  people  react  to  that  mes¬ 
sage).  “The  role  of  the  CISO  is  not  so  much 
about  image,  but  [about]  how  you  get  the 
message  across”  using  all  these  elements,  he 
says.  And  to  be  an  effective  communicator, 
he  adds,  “you  have  to  use  examples  from  the 
tribal  culture  that  you  want  to  influence.” 

Take  human  resources,  for  example.  Right 
now,  Garigue  is  working  on  access  control— 
identity  management  and  privileges,  in  secu¬ 
rity  parlance.  Those  aren’t  words  that  necessarily 
resonate  with  HR.  Instead,  Garigue  tries  to 
talk  about  access  control  in  terms  of  the  orga¬ 
nizational  charts  that  HR  managers  under¬ 
stand.  “HR  might  not  realize  that  because 
there  are  certain  processes  they’re  not  super¬ 
vising,  other  people  are  going  to  take  liberties 
around  something  that  is  duly  mandated  for 
them  to  control.”  In  other  words,  those  people 
might  create  their  own  org  charts. 

Garigue  tries  hard  to  find  ways  to  commu¬ 
nicate  with  all  the  tribes  in  his  organization, 
from  HR  to  finance  to  network  engineers, 
using  metaphors  they  can  understand  that 
influence  them  to  think  about  security  as  an 


PHOTO  LEFT  BY  DAN  COOK;  RIGHT  BY  JULIE  DUROCHER 


December  2004  www.csoonline.com  27 


Management  Tips 


organizational  benefit  in  their  own  language. 
The  question,  he  says,  is:  “How  do  we  talk  to 
all  these  cultures  in  a  way  that  makes  them  do 
something  different  to  improve  the  health  of 
the  organization?”  The  answers  make  the 
Bank  of  Montreal  more  secure.  -S.D.S. 

THE  BANKER 

Rhonda  MacLean  stresses 
bottom-line  security  messages 
at  Bank  of  America. 

Rhonda  MacLean,  CISO  of  Bank  of  America, 
has  learned  to  talk  like  a  banker  in  order  to 


communicate  about  security,  peppering  her 
speech  with  investment  terms  and  customer- 
value  meanings  to  make  her  message  rele¬ 
vant. 

“I  meet  mostly  with  my  executive  leader¬ 
ship  team;  these  are  not  just  technology  folks, 
they  are  leaders  of  the  business  and  risk  exec¬ 
utives,  auditors,”  says  MacLean.  “We  talk 
about  information  protection.  The  language  I 
use  is  around  the  risk-reward  language.  Will 
what  were  doing  help  grow  the  business?  Will 
it  allow  for  innovation?  How  do  we  manage 
the  risk?  We  talk  about  our  commitment  to 
our  customers.  Using  risk-reward  language 
translates  to  the  business.” 

Metrics  also  takes  a  front  seat,  MacLean 


says.  “I  use  a  lot  of  metrics  here.  Being  able  to 
articulate  and  quantity  what  we’re  going  to 
get  out  of  an  investment  is  important,”  she 
adds.  “I  report  how  many  desktops  we  need  to 
clean  up  from  viruses,  we  show  the  volume  of 
activity,  and  then  we  can  tell  the  impact  [of  a 
virus]  we’ve  prevented  at  our  company.” 

-Kathleen  S.  Carr 

THE  MARKETEER 

When  customers  bring  you 
problems  to  solve,  says  Jack 
Johnson,  it’s  a  tailor-made 
marketing  moment. 

That  rugby  scrum  of  abruptly  force-fit  agen¬ 
cies  now  known  as  the  Department  of  Home¬ 
land  Security  presents  interesting  challenges 
to  its  CSO,  who  must  market  security  aware¬ 
ness  internally  to  an  incohesive  set  of  legacy 
cultures.  “We  have  individuals,  and  even  entire 
organizations,  that  transitioned  to  DHS  with 
little  previous  involvement  in  security-related 
activities,”  says  DHS  CSO  Jack  Johnson.  “So 
our  challenge  is  to  develop  a  baseline  level  of 
training  for  everyone,  and  then  set  up  [fur¬ 
ther]  boutique-type  training  for  components 
with  specialized  requirements.” 

Training  is  a  hot  priority  within  DHS,  par¬ 
ticularly  for  people  who  may  never  have  seen 
a  classified  or  sensitive  document  but  now 
must  handle  them  every  day.  Johnson,  a 
20-year  veteran  of  the  U.S.  Secret  Service, 
relies  on  three  training  delivery  systems:  face- 
to-face,  podium-style  sessions;  CD-ROMs  and 
other  computer  training;  and  DHS’s  office  of 
security  website. 

But  perhaps  the  most  aggressive  front  for 
reinforcing  security  messages  is  through  the 
Security  Customer  Service  Center  where,  says 
Johnson,  “my  edict  is  that  you  will  not  leave 
there  until  your  issue  has  been  resolved.” 

Once  Johnson’s  got  them  in  the  door  (there 
are  signs  throughout  DHS’s  10  offices  in 
Washington  publicizing  the  center’s  exis¬ 
tence),  his  staff  exploits  employees’  visits  to 
engage  in  a  little  security  awareness  upselling. 

“We  use  this  opportunity.. .to  explain  to 
them  how  security  is  integrated  throughout 
everything  we  do  at  DHS.  And  how  even  in 


28  www.csoonline.com  December  2004 


PHOTO  BY  ROGER  BALL 


SECRET  AGENT  TECHNOLOGY  AT  YOUR  FINGER  Tl 


GUARD  YOUR  PRIVATE  FILES  PROTECT  FINANCIAL  RECORDS  AND  BUSINESS  CORRESPONDENCE 
NOT  TO  MENTION  YOUR  PERSONAL  INVESTMENTS  SAFEGUARD  PHOTOS  AND  VIDEOS 
AS  WELL  AS  CUSTOMER  INFORMATION  and  PRODUCT  PLANS  PROTECTS  YOUR  BACKUPS  AS  WELL 
the  LOCK  BOX  HARD  DRIVE  is  hi  speed  USB  2.0  with  capacities  of80GBsand  up 


lockboxdrive.com/5.html  800-890-7227  (US  and  Canada)  MicroBallJtiOIlS 

Available  online  at  CompUSA,  CDW,  Insight  Direct  and  PC  Connection,  and  at  Micro  Center  Stores 


Management  Tips 


While  many  CSOs  concentrate  on  improving 
their  presentation  skills  for  senior  manage¬ 
ment,  Art  Meinke  focuses  on  the  rank  and  file. 

As  the  Transportation  Security  Adminis¬ 
tration’s  federal  security  director  in  Orlando, 
Fla.,  Meinke  wants  to  know  what’s  on  the 
minds  of  the  1,050  airline  screeners  under  his 
watch  who,  on  a  typical  day,  process  50,000 
people  through  security,  and  confiscate  some 
600  “sharps”  and  other  dangerous  objects. 
“My  biggest  fear  is  not  knowing  what’s  being- 
talked  about  at  the  frontline  screener  level,” 
Meinke  says. 

Keeping  an  ear  to  the  multicultural  ground 
comes  naturally  and  by  education  to  Meinke. 
Born  in  Indonesia,  he  spoke  Dutch  at  home  as 
a  boy  before  moving  to  the  United  States, 
where  he  picked  up  Spanish  in  high  school.  He 
spent  the  first  half  of  his  34-year  career  as  a 
self-described  blue-collar  worker  for  United 
Airlines,  including  postings  in  Singapore  and 
Brazil,  where  he  learned  Portuguese. 

Then,  during  a  year-long  layoff,  Meinke 
finished  a  BS  in  organizational  behavior. 


When  the  union  recalled  him,  he  was  ready  to 
take  on  his  first  management  position;  from 
there,  he  worked  his  way  up  to  general  man¬ 
ager  for  United  Airlines  at  Miami  Interna¬ 
tional  Airport.  Along  the  way  he  took  Dale 
Carnegie  courses  in  public  speaking  and 
interpersonal  relationships. 

Now,  as  one  of  the  TSA’s  159  federal  secu¬ 
rity  directors  across  the  nation,  Meinke  takes 
what  he  studied— and  what  he  knows  first¬ 
hand  about  employees’  skeptical  views  of 
management— and  tries  to  create  the  kind  of 
environment  wherein  people  bring  him  their 
ideas.  “You  break  down  the  mystique  of  man¬ 
agement,”  he  says.  “When  people  realize  that 
you  have  to  go  to  the  groceiy  store  to  buy  food, 
or  that  your  car  broke  down  because  you  got 
a  flat  tire— when  you  become  more  human— 
they  will  talk  with  you.  They  will  raise  con¬ 
cerns  that  you  may  not  necessarily  have 


known  about.  It’s  incredibly  useful.” 

To  encourage  communication,  Meinke  is 
setting  up  a  program  in  which  he  and  his 
15  senior  staff  members  will  each  spend  six 
hours  a  month  working  alongside  the  airline 
screeners.  He  established  monthly  town  hall 
meetings  where  airline  screeners  and  their 
supervisors  (separately)  can  raise  concerns. 

Meinke  says  employees  like  the  two-way 
communication.  “If  you’re  talking  with  some¬ 
one,  you’re  in  a  conversation.  And  if  you’re 
talking  to  someone,  you’re  probably  lecturing. 
And  most  people  don’t  like  to  get  lectured.” 

-S.D.S. 


Spill  Your  Beans 

OK,  now  it’s  your  turn.  Share  the  secrets  that  have  helped 
you  communicate  the  value  and  improve  the  image  of 
security  at  your  company.  Post  your  thoughts  on  our 
website.  Go  to  www.csoonline.com/secrets.html. 


THE 

PROLETARIAN 


Art  Meinke  keeps  on  top  of 
security  issues  by  staying  in 
touch  with  airport  screeners. 


your  job— whether  you  work  as  an  analyst,  as 
a  budget  person,  as  a  procurement  specialist, 
as  a  facilities  specialist— security  is  important 
to  everything  you  do,”  says  Johnson.  “We  give 
people  different  brochures  and  media,  make 
sure  they  know  where  the  website  is,  how  to 
get  to  it  and  how  they  can  go  there  to  learn 
more  about  the  concept  of  what  we’re  doing, 
why  it’s  important  to  the  mission  of  the 
department,  and  how  they  can  help  them¬ 
selves  and  their  colleagues.” 

And  then  they  are  released,  freshly  inocu¬ 
lated  against  the  virus  of  security  indifference. 
“I  like  to  think  of  it  as  [educating  about  secu¬ 
rity]  at  a  business  case  level,”  he  says.  ‘You  can 
show  people  that.. .actually,  in  the  long  run, 
security  doesn’t  cost,  it  pays.” 

-Lew  McCreary 


30  www.csoonline.com  December  2004 


PHOTO  BY  PRESTON  MACK 


Is  your  network  vulnerable 

to  intrusion? 


Ever  have  that  feeling  somebody’s  checking  out  your 
network,  looking  for  vulnerabilities  that  could  bring  down 
your  whole  company?  That’s  what  we  do.  Except  we're 
on  your  side.  Our  Web-based,  hosted  scanning  solution 
allows  you  to  detect  your  network’s  vulnerabilities,  so 
you  can  prevent  intrusions  and  gain  peace  of  mind. 
Make  sure  your  assets  are  covered. 


Let  IPxray  sniff  out  your  vulnerabilities. 
Start  your  risk-free  trial  now. 

Visit  www.ipxray.com 

I  P^RAY  * 

Actionable  Intelligence  to  Secure  Your  Network 


©  2004  IPxray  LLC. 


Self-Assessment 


1  After  a  three-cocktail  lunch, 
a  top  salesperson  loses  her  lap¬ 
top,  full  of  proprietary  customer 
lists,  at  a  conference  attended 
by  several  competitors.  What  do 
you  do? 

a)  Immediately  demand  that  the 


We  tend  to  lump  others  into 

stereotypical  roles,  sometimes 
basing  our  judgment  on  relatively 
few  data  points.  Take  this  quiz  to 
see  how  others  perceive  your 
leadership  style.  The  scoring 
guide  at  the  end  will  provide  a 
few  practical  pointers  on  how  to 
help  others  perceive  you  as  well- 
rounded,  not  one-dimensional.  No 
peeking  until  you’ve  circled  your 
answers.  (Nobody’s  going  to  take 
you  seriously  if  you’re  perceived 
as  a  cheater.) 


3  It’s  Monday  morning.  You 

show  up  at  work  in... 

a)  Giorgio  Armani— double- 
breasted  to  establish  credibility 

b)  Tommy  Hilfiger— snappy  casual 
to  establish  approachability 

c)  Variable— depending  on  num¬ 
ber  and  type  of  meetings 
scheduled 

d)  Parrothead— a  fun  workplace 
gets  people  jazzed 


32  www.csoonline.com  December  2004 


ILLUSTRATION  BY  GLENN  HILARIO 


4  Books/authors  you're  most 

likely  to  read: 

a)  George  Patton,  Rudy  Giuliani, 
Jack  Welch 

b)  Pulitzer  Prize  winners  in  his¬ 
tory  and  biography,  case  stud¬ 
ies  on  business  mergers 

c)  The  7  Habits  of  Highly  Effec¬ 
tive  People,  Who  Moved  My 
Cheese? 

d)  Martin  Luther  King  Jr.,  Deepak 
Chopra 


I 


sales  manager  make  an  example 
of  the  employee  by  firing  her. 

b)  Sit  down  with  the  sales  man¬ 
ager  and  look  at  the 
employee's  past  record,  which 
is  mostly  good.  Give  her  a  new 
laptop  and  a  little  lecture. 

c)  Set  up  a  committee  to  look  at 
security  policies,  procedures 
and  employee  education  efforts. 

d)  Install  encryption  on  all  com¬ 
pany  laptops,  using  this  inci¬ 
dent  as  your  rationale.  Let  the 

sales  manager  decide  what  to 
do  about  the  employee. 


Are  You? 


Take  this  quiz  to  find  out 
if  they  love  you— or 
loathe  you 


2  You  write  up  a 
quick  Web-surfing 
policy  reminder  e-mail 
to  internal  staff.  Your 
style  is... 

a)  ALL  CAPS,  clear  and  concise 

b)  Formal  punctuation,  grammar, 
signed  with  full  name  and  title 

c)  Polite  and  to  the  point;  punctu- 

atinn  nntinnal 


5  Your  investigations  team  has 
just  completed  the  background 
check  of  a  new  employee,  and 
the  results  are  not  good.  The 
employee  didn’t  list  two  jobs  he 
briefly  held  in  the  last  year  and 
fudged  his  current  salary.  The 
hiring  manager  wants  to  look 
the  other  way,  but  you  have  a 
bad  feeling.  You  decide... 

a)  You  can’t  ignore  your  gut. 

Insist  that  the  person  not  be 
hired  under  any  condition. 

b)  To  coach  the  hiring  manager  on 
how  to  discuss  these  concerns 
with  the  individual,  and  design 
a  plan  to  bring  the  person  on 
board  on  a  conditional  basis. 

c)  To  go  by  the  book.  What, 
specifically,  does  your  policy 
state  is  unacceptable,  and  do 
any  of  these  offenses  meet  that 
criteria?  Later,  you  can  review 
whether  these  policies  are  still 
appropriate. 

d)  To  look  for  a  new  job.  Why  are 
you  doing  background  investi¬ 
gations  anyway,  if  no  one 
cares  about  the  results?  It’s 
time  for  you  to  find  a  job  where 
they  respect  security. 

6  Leader  you  most  admire  on 
this  list: 

a)  Napoleon  Bonaparte 

b)  Abraham  Lincoln 

c)  Eleanor  Roosevelt 

d)  Joan  of  Arc 

7  When  the  CEO  drops  by 
(once  every  other  year),  he 
finds  your  office... 

a)  Army-inspection  spotless 

b)  Wallpapered  with  org  charts 
and  contact  lists 

c)  Unadorned 

d)  Full  of  inspirational  books  and 
colorful  gadgets 

8  Posted  on  your  office 
door  is... 

a)  Notice  of  today's  DHS  alert 


color 

b)  Dilbert  cartoon  making  fun  of 
the  boss 

c)  Dilbert  cartoon  making  fun  of 
work  life  in  general 

d)  Dilbert  cartoon  making  fun  of 
security 

9  You’re  at  an  all-day  offsite 
with  other  executives  at  a  local 
conference  center.  Right  before 
lunch,  the  place  is  swarmed 
with  cops  and  ambulances; 
apparently,  gunshots  were 
heard  coming  from  a  room 
upstairs,  and  you  are  told  there 
could  be  a  hostage  situation. 
The  meeting  leader  says  she 
talked  to  the  hotel  manager, 
who  assured  her  that  everything 
on  the  first  floor  was  fine,  but 
now  everyone  is  nervous.  You: 


a)  Take  control— this  is  a  security 
job,  not  the  job  of  a  conference 
organizer.  Make  an  executive 
decision  to  move  the  meeting 
back  to  the  office,  which  is 
safer  and  less  distracting. 

b)  Suggest  that  the  team  have 
lunch  at  a  local  restaurant 
instead  of  in  the  conference 
center.  There,  you  can  talk 
about  whether  to  go  back  for 
the  rest  of  the  day. 

c)  Tell  everyone  to  stay  calm  and 
eat  lunch.  You’ll  go  out  and 
evaluate  the  situation,  then 
come  back  with  some  options. 

d)  Reassure  everyone  that  the 
police  will  take  care  of  things 
and  evacuate  the  conference 
center  if  it's  required. 

lO  People  most  often  compli¬ 
ment  you  as: 


a)  Decisive 

b)  A  good  listener 

c)  Efficient 

d)  Creative 

11  You  find  a  genie  lamp  in  the 
CFO’s  office.  Your  first  wish  is 
for... 

a)  More  staff  accountability 

b)  More  boardroom  access 

c)  More  security  personnel 

d)  More  employee  awareness 
resources 

12  When  people  are  angry  at 
you,  they  most  often  use  words 
like: 

a)  Bull-headed  (if  you  hear  them 
say  anything) 

b)  Wishy-washy 

c)  Boring 

d)  Wacky 


SCORING 


Very  simple:  Add  up  your  responses  by  letter.  If  you 
have  a  preponderance  in  one  category  (more  B  answers 
than  anything  else,  for  example),  you're  quite  likely  per¬ 
ceived  as  a  category  B  leader.  Yes,  they’re  generalizations. 
We  know  that  your  style  for  writing  e-mails  does  not  auto¬ 
matically  make  you  a  Negotiator  or  an  Autocrat.  You  can 
combat  those  generalized  perceptions  by  consciously 
choosing  to  address  future  situations  in  different  styles. 


A)  The  Autocrat 

Examples:  Napoleon  Bona¬ 
parte,  Rudy  Giuliani 
Perceived  Strengths:  Par¬ 
ticularly  effective  in  a  crisis, 
giving  those  around  you  a 
greater  sense  of  certainty 
and  direction.  Some  people 
will  love  this  style  of  leader¬ 
ship,  praising  it  as  decisive 
and  efficient. 

Perceived  Weaknesses: 

In  the  course  of  everyday 
business,  this  style  can  rub 
people  the  wrong  way.  If 
they  feel  that  they're  only 
around  to  execute  your 
orders,  the  group’s  creativ¬ 
ity  will  be  dulled.  Behind- 
your-back  words  include 


inflexible,  dogmatic. 

Action  Plan:  Pick  some  spe¬ 
cific  (and  not  inconsequen¬ 
tial)  battles,  in  which  you’ll 
make  a  clear  effort  to  solicit 
input  from  many  sources, 
and  practice  consensus- 
style  decision  making. 

B)  The  Negotiator 

Examples:  Abraham  Lin¬ 
coln,  Jimmy  Carter 
Perceived  Strengths:  Brings 
multiple  parties  together 
despite  different  agendas. 
Makes  people  feel  that  their 
input  counts.  Consensus 
builder,  good  listener. 
Perceived  Weaknesses: 
Those  same  parties  will  still 


be  at  loggerheads  from  time 
to  time;  the  negotiator  may 
not  inspire  confidence 
among  those  parties  that  a 
final  decision  will  be  ren¬ 
dered  in  a  timely  manner. 
Behind-your-back  words 
include  wishy-washy, 
pushover. 

Action  Plan:  Identify  two  or 
three  situations  within  your 
authority  where  discussions 
are  dragging  out;  pick  a 
course  of  action  and  com¬ 
municate  that  you’ve  made 
a  final  decision  based  on  all 
input. 

C)  The  Pragmatist 

Examples:  Roald  Amund¬ 
sen,  Eleanor  Roosevelt 
Perceived  Strengths:  Prag¬ 
matists  are  doers  who  can 
accomplish  a  great  deal 
through  steady  work,  and 
compromise  when  neces¬ 
sary.  Admired  for  productiv¬ 
ity,  efficiency, 
levelheadedness. 

Perceived  Weaknesses:  Not 
inspiring;  may  not  be  aware 
of  what  gets  others  excited 


about  their  work.  Behind- 
your-back  words  include 
unimaginative,  dull,  overly 
tactical. 

Action  Plan:  Read  up  on 
leaders  recognized  for 
inspiring  passion  in  others. 
Getting  your  staff  and 
employees  creatively 
engaged  will  accomplish 
more  in  the  long  run. 

D)  The  Visionary- 

Examples:  Joan  of  Arc, 
Thomas  Edison,  Mohandas 
Gandhi 

Perceived  Strengths: 
Inspirational  and  creative. 
Perceived  Weaknesses: 
Opposite  of  the  Pragma¬ 
tist— may  be  regarded  as 
too  hands-off  or  as  leaving 
“the  real  work”  to  others. 
Behind-your-back  words 
include  lacking  common 
sense,  head-in-the-clouds, 
too  strategic. 

Action  Plan:  Roll  up  your 
sleeves;  mix  your  strategic 
agenda  with  concrete  tasks. 
Lead  staff  to  greater  pro¬ 
ductivity  through  example. 


December  2004  www.csoonline.com  33 


Metrics  Fitness 


£?*****»?** 

*■»— 


■?0(X 


Business 


«*»** 


«w«nw 


Ciy^frr 


®»b »  f 


*273 


pf'ln> 


Pistons! 


A  wallet-sized  card, 
chock-full  of  metrics, 
is  a  compact  way  to 
convey  your  message 
with  punch. 


Seven  quick-and-dirty  tricks  for  using 
numbers  to  strengthen  your  case 
By  Sarah  D.  Scalet 


Bob  Hayes,  the  former  security  chief 

for  3M  and  Georgia-Pacific  who  now  hangs 
his  hat  at  this  magazine,  likes  to  joke  that  if 
you  don’t  have  good  numbers  to  back  up  your 
security  program,  you’d  better  get  a  good  tai¬ 
lor.  He’s  got  a  point.  That  starch  in  your  crisp 
white  collar  can  only  hold  up  so  much.  If  you 
really  want  to  make  a  good  impression,  you’ve 
gotta  muscle  in  with  some  numbers.  We’re 
talking  metrics,  baby— proof  positive  that  your 
security  program  can  do  the  heavy  lifting 
that’s  required. 

To  help,  we’ve  compiled  some  dos  and 
don’ts  for  using  numbers  to  make  a  case  for 
security,  from  finding  the  right  metrics  to 


34  www.csoonline.com  December  2004 


dressing  them  up  real  pretty.  Here’s  to  getting 
it  all  into  shape. 

DO  Make  the  most 
of  what  you’ve  got 

Feel  like  you  don’t  have  much  to  begin  with? 
Don’t  despair.  It’s  not  just  what  you’ve  got,  as 
they  say,  but  how  you  work  it. 

Suppose,  for  instance,  that  half  a  million 
dollars’  worth  of  products  gets  stolen  on  the 
way  to  customers  each  year.  In  the  greater 
scheme  of  things,  other  executives  might  not 
care  much  about  $500,000  worth  of  goods. 
(They  can  send  the  cash  our  way  if  they  think 

— — . - . ^ 


it’s  such  small  change.)  But  if  you  point  out 
that  the  company  has  invested  hundreds  of 
millions  of  dollars  in  its  supply  chain  and  that 
customers  aren’t  getting  their  orders  on  time 
for  security  reasons,  “that  kind  of  talk  will  get 
people  very  interested  and  concerned,”  says 
David  Saenz,  vice  president  of  worldwide 
security  at  Levi  Strauss  &  Co. 

“Look  at  where  the  organization  is  going, 
and  see  how  your  work  contributes  to  that, 
and  then  link  your  priorities  and  service  to 
those  jobs,”  Saenz  adds.  In  other  words,  good 
numbers  are  all  about  business  context. 

You  might  already  have  more  useful  num¬ 
bers  than  you  think.  Rate  data  is  one  place  to 


PHOTO-ILLUSTRATION  BY  STEPHEN  WEBSTER 


start.  What  did  you  spend  last  year  per 
employee  on  security?  Per  computer  on  infor¬ 
mation  security?  Per  square  foot  on  guards? 
And  what  will  you  spend  next  year?  It’s  all 
about  finding  good  metrics  within  your  reams 
of  data. 

2  DON’T  Ignore 
where  you  started 

Whenever  you  decide  to  undertake  a  signifi¬ 
cant  project,  do  whatever  you  can  to  establish 
a  baseline  first.  It’s  like  knowing  how  much 
you  can  bench-press  on  your  first  day  at  the 
gyni. 

Here’s  the  kind  of  example  you  probably 
dream  of.  A  few  years  back,  Saenz’s  group 
decided  to  act  on  a  businesswide  goal  of  reduc¬ 
ing  counterfeiting  in  key  markets.  The  first 
step  was  finding  out  exactly  what  market  share 
belonged  to  counterfeit  products  in  China, 
Italy  and  the  Philippines.  The  company  hired 
a  marketing  firm  to  conduct  a  survey,  and  it 
turned  out  that  40  percent  of  the  market  share 
was  counterfeit  Levis,  while  genuine  Levis  had 
only  9  percent  of  the  market  share  (which  still 
ranked  it  first  among  genuine  brands).  Saenz’s 
group  started  filing  lawsuits  against  sellers  and 
working  with  local  officials  to  seize  counterfeit 
goods;  over  the  course  of  a  few  years,  he  was 
able  to  show  that  the  counterfeit  market  share 


dropped  to  15  percent  and  Levi’s  genuine  mar¬ 
ket  share  rose  to  12  percent. 

That’s  a  surefire  way  to  turn  some  heads, 
considering  where  Saenz  started.  And  look, 
ma,  no  calculus! 

3  DO 

Get  creative 

We  can  see  you  sweating  already.  Baseline? 
What  baseline?  Executives  outside  of  retail— 
and  those  who  are  trying  to  secure  IT  assets  in 
particular— complain  that  if  you’re  not  talking 
about  boxes  of  widgets,  it’s  hard  to  know 
where  to  get  that  baseline.  Sometimes  there 
are  industry  benchmarks  that  can  help.  The 
Building  Owners  &  Managers  Association 
International,  for  example,  tracks  how  much 
money  companies  are  spending  on  security 
per  rentable  square  foot  each  year.  But  other 
times,  you  might  have  to  get  more  creative. 

Ken  Pfiel,  CSO  of  Capital  IQ,  a  New  York- 
based  financial  services  technology  company 
that  was  recently  acquired  by  Standard  & 
Poor’s,  relies  on  infosec  studies  as  a  starting 
point.  He  says  that  if  you  know,  say,  that  a  cer¬ 
tain  virus  cost  companies  $X  billion,  then  you 
can  extrapolate  how  much  money  you  are  sav¬ 
ing  the  company.  That’ll  get  you  to  a  little 
something  called  a  return  on  security  invest¬ 
ment  (ROSI).  (Hint:  Your  CFO  will  like  that.) 


4  DON’T  Get  too 
creative 

Be  careful  about  the  numbers  you  begin  with, 
though,  or  you’ll  gain  a  rep  as  a  FUD-meister. 
(That’s  fear,  uncertainty  and  doubt,  for  those 
of  you  who’ve  managed  to  keep  the  words  out 
of  your  vocabulary.)  A  lot  of  the  vendor-driven 
research  has  its  own  game  plan:  getting  you  in 
the  door  and  your  pocketbook  open. 

“You’re  always  left  to  your  own  interpreta¬ 
tion  when  using  numbers  that  have  been  put 
out  there,”  Pfiel  warns.  “A  lot  of  [studies  pub¬ 
licized  by  vendors]  may  be  scare  tactics  and 
things  that  are  trying  to  draw  a  revenue,  but 
there  are  also  some  solid  facts  behind  that.  I 
think  a  good  rule  of  thumb  is  the  old  adage: 
Believe  half  of  what  you  see  and  none  of  what 
you  hear.  If  you  cut  those  numbers  in  half, 
you’ve  eliminated  your  margin  of  error.” 

Maybe  you’re  being  overly  conservative 
using  this  adage,  he  says,  “but  any  numbers,  as 
long  as  you  can  reference  them,  are  helpful.” 

5  DO  Get  people 
to  look  at  you 

Just  because  you  have  some  solid  numbers  to 
share,  however,  doesn’t  mean  they  should  be 
the  be-all  and  end-all  of  your  presentation  to 
the  board.  Far  from  it.  You  don’t  want  to  blend 


POWER 

POINTS 

FOCUS  ON  WHAT  YOU 
WANT  TO  SAY,  AND 
SAY  IT  IN  SIMPLE, 
CLEAR  TERMS 


DON’T 

CROWD  VISUAL  AIDS  WITH  SMALL 
TYPE  AND  CONFUSING  CHARTS 


DO 


PUNCTUATE  YOUR  CLEAR  POINT 
WITH  SIMPLE  CHARTS 


SB 


December  2004  www.csoonline.com  35 


Metrics  Fitness 


into  the  scenery.  “In  the  background  on  tele¬ 
vision,  when  you  see  [the  screen]  behind  Peter 
Jennings  or  Dan  Rather  or  Tom  Brokaw,  what 
does  it  contain?”  asks  Jerry  Weissman,  the 
corporate  presentation  consultant  who  wrote 
Presen  ting  to  Win:  The  Art  of  Telling  Your 
Story.  “It  contains  two  words  or  four  words,  or 
an  image  and  four  words,  and  then  they  [the 
newscasters]  tell  the  story.”  They  don’t  rely 
on  the  screen  to  tell  it  for  them. 

Likewise,  make  sure  that  PowerPoint  slides 
are  backing  you  up  rather  than  repeating  your 
entire  message  and  then  some.  And  most  of 
all,  make  sure  they’re  legible.  Weissman  has 
seen  too  many  presentations  where  legends 
are  indecipherable  or  the  gridlines  are  impos¬ 
sible  to  follow.  (Haven’t  we  all,  really?  And 
don’t  they  always  happen  right  after  lunch?) 
And  don’t  get  Weissman  started  on  people 
who  don’t  right-justify  columns  of  numbers, 
leaving  an  inebriated-looking  column  of  com¬ 
mas  and  zeros.  “Any  one  of  these  violations  of 
the  depictions  of  the  numbers  is  a  distraction 
from  the  presenter  and  the  presenter’s  mes¬ 
sage,”  Weissman  says.  Keep  the  slides  simple, 
label  charts  clearly,  and  try  to  get  people  to 
look  at  you— not  your  numbers. 

6  DO  Leave 
something 
eye-catching  behind 

A  better  bet  is  numbers  that  people  can  take 
away,  not  ones  they’ll  squint  at  while  you’re 
trying  to  make  your  case.  At  jobs  in  the  past, 
Hayes  liked  to  hand  out  an  annual  wallet  card 
that  summarized  what  the  security  depart¬ 
ment  had  accomplished  in  the  previous  year, 
compared  with  what  it  had  done  in  the  past. 
(See  a  mock-up  on  Page  34.)  The  trifold  card 
showed,  for  instance,  year-to-year  changes  in 
the  number  of  attempted  virus  attacks  and 
successful  virus  attacks,  and  it  highlighted  the 
cost  per  hour  of  a  full-time  security  employee 
versus  a  consultant.  (FTEs  are  a  bargain,  of 
course;  generally,  they  earn  two  digits  an  hour 
instead  of  three.  So  why  not  point  it  out?) 

You  can  either  create  a  wallet  card  on  your 
own,  or,  better  yet,  try  to  adapt  whatever  kind 
of  dashboard  or  scorecard  is  used  in  other 
parts  of  the  business.  And  whenever  possible, 
Hayes  says,  focus  on  output— not  input.  “I 


. 


t 


METRIC-O-MATIC 

ANSWER  THESE  QUESTIONS 
TO  GIVE  YOURSELF  FIVE 
NUMBERS  WITH  IMPACT 

IWhat  did 
you  spend  per 
employee  on 
security? 


had  a  senior  vice  president  once  say  there’s  a 
big  difference  between  activity  and  results,” 
Hayes  says.  “Yeah,  you  were  busy,  but  is  that 
all  you  got?  Lots  of  people  are  busy.  What 
would  happen  if  you  didn’t  do  your  job?” 


DON’T  Ignore 
the  alternatives 


Decided  that  your  chance  of  finding  a  ROSI  is 
about  as  good  as  your  appearing  on  the  cover 
of  Esquire ?  The  ability  to  directly  tie  the  work 
you’re  doing  to  the  business  goal  can  be  a  good 
substitute  for  hard-and-fast  numbers.  Alan 
Mayer-Sommer,  an  associate  professor  at 
Georgetown’s  McDonough  School  of  Busi¬ 
ness,  even  believes  that  the  popular  Balanced 
Scorecard  approach  can  be  applied  to  security 
in  a  very  effective  way. 

This  business  strategy,  in  a  nutshell,  ensures 
that  every  action  you  take  ties  back  to  stated 
corporate  goals.  You  can  spend  lots  of  money 
on  a  consultant  who  will  help  you  set  it  up,  or 
take  the  quick-and-dirty  approach  of  spending 
35  bucks  on  The  Balanced  Scorecard:  Trans¬ 
lating  Strategy  into  Action  by  Robert  S.  Kaplan 
and  David  P.  Norton.  “If  you  can  show  that 


35SSS5S5SSS 


■ 


— 


What  did 
you  spend  per 
square  foot  on 
security  guards? 

What  did 
you  spend  per 
computer  on 
information  security? 

How  many 
cases  did  you 
investigate  per 
employee? 

How  many 
criminal 
prosecutions  did  you 
have  per  100  cases? 


there  are  certain  objectives  within  your  depart¬ 
ment  that  will  directly  help  the  organization 
achieve  its  broader  set  of  objectives,  then  you 
have  a  basis  for  making  a  presentation  to  top 
management,”  says  Mayer-Sommer,  who  gives 
a  seminar  to  security  pros  every  year  through 
a  joint  program  with  the  International  Secu¬ 
rity  Management  Association. 

“The  traditional  way  is  you  wait  for  a  dis¬ 
aster  and  say,  Here’s  what  the  cost  is  going  to 
be  for  a  future  disaster,”  he  says.  “But  then 
people  lose  interest  after  a  while.  That 
approach  does  not  provide  you  with  a  more 
steady  and  reliable  way  of  building  relation¬ 
ships  and  enhancing  credibility.” 

Good  relationships,  after  all,  are  what  really 
make  you  stronger  in  the  long  run. 

Senior  Editor  Sarah  D.  Scalet  can  be  reached  at 
sscalet@cxo.com. 


The  Numbers  Don’t  Lie 

- 

Want  to  know  more  about  how  to  build  a  better  case  for 
information  security?  Read  the  CSOonline.com  Analyst 
Report  “Collecting  Effective  Security  Metrics,"  by  Robert 
Frances  Group,  to  learn  which  numbers  to  include  in 
your  next  presentation.  Go  to  www.csoonline.com/ 
printlinks. 


36  www.csoonline.com  December  2004 


PHOTO  BY  CORBIS 


Middleware  is  Everywhere 


MIDDLEWARE  IS  IBM  SOFTWARE.  Identity  management 
software  that  uses  single  sign-on  technology  to  ensure  that 
the  right  access  is  given  to  the  right  people.  Open,  modular 
Tivoli  security  software  that  automates  processes  between 
employees,  partners,  customers  and  suppliers  -  while 
helping  to  reduce  costs.  It's  how  everyone  involved 
gets  the  information  they  need.  On  time.  And  on  demand. 


1.  Buyer  downloads  competitive  pricing. 

2.  Manager  securely  retrieves  invoices. 

3.  Driver  obtains  specific  delivery  details. 

4.  Ex-vendor  denied  access  to  intranet. 

5.  Customer’s  identity  protected  from  theft 


Middleware  for  the  on  demand  world.  Learn  more  at  ibm.com/middleware/identity  (jJ3  DEMAND  BUSINESS 


IBM,  the  IBM  logo,  Tivoli  and  the  On  Demand  logo  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corpor&tldri  in  the  United  States 
and/or  other  countries.  t<;>2004  IBM  Corporation.  All  rights  reserved  1 


Thirty-seven-year-old  ANDERS  NOYES,  safety  and  security  manager 
for  a  subsidiary  of  Lucasfilm,  is  about  to  become  CSO  of  the  whole  com¬ 
pany.  At  6  feet  3  inches  tall,  Noyes  has  a  physical  presence  that  is  mag¬ 
nified  by  his  stocky  frame.  Yet  his  twinkling  green  eyes,  quiet  but  jovial 
personality  and  casual  dress  seem  to  say  toy-store  owner  or  high  school 
band  leader  more  than  security  executive.  Noyes  has  been  with  Lucas¬ 
film  in  San  Rafael,  Calif.,  since  April  2004,  after  a  stint  as  security 
director  at  the  Asian  Art  Museum  in  San  Francisco. 


JEFF  ROSENTHAL  has  worked  in  leadership  development  and  execu¬ 
tive  coaching  for  more  than  15  years.  With  thick  eyebrows  that  frame 
large,  brown  eyes,  Rosenthal  has  an  effervescent,  “sincerely  pleased  to 
meet  you”  personality.  He’s  encouraging,  but  not  in  an  over-the-top, 
rah-rah  type  of  way.  Rosenthal  is  the  San  Francisco-based  vice  presi¬ 
dent  of  the  western  region  and  Asia  Pacific  at  BlessingWhite,  a  leader¬ 
ship  development  consultancy.  He  has  been  a  visiting  professor  at  the 
Haas  School  of  Business  at  the  University  of  California,  Berkeley. 


38  www.csoonline.com  December  2004 


PHOTOGRAPHY  BY  JAY  WATSON 


Self-Improvement 


An  executive  coach 
takes  an  up-and- 
coming  CSO 
on  a  whirlwind 
self-improvement 
spree  By  Todd  Datz 


The  Regimen 

Coming  into  a  daylong  meeting  with 
an  executive  coach,  soon-to-be  CSO 
Anders  Noyes  identified  four  main 
goals: 


The  Setting 

An  office  park  in  a  commercial  section  of  San  Rafael,  Calif.,  some  30  min¬ 
utes  north  of  San  Francisco.  The  building  is  one  of  a  series  of  low-slung 
offices,  housing  computer  graphic  artists,  stagehands  and  other  employ¬ 
ees  of  Lucasfilm’s  Industrial  Light  &  Magic  (ILM),  the  special  effects 
company  formed  by  George  Lucas,  the  Hollywood  legend  famous  for  his 
visual  wizardry  on  films  such  as  Star  Wars  and  Raiders  of  the  Lost  Ark. 
Lucasfilm  is  a  private  company  that,  in  keeping  with  the  inclinations  of  its 
founder,  has  avoided  the  limelight.  Likewise,  at  the  nondescript  ILM 
campus,  there’s  no  glitz  and  glamour  or  any  other  indication  that  inside 
these  brick  walls,  some  of  the  most  creative  minds  in  the  film  industry  are 
doing  the  boffo  work  that  has  brought  ILM  to  the  pinnacle  of  the  special 
effects  biz. 

Two  men— one  the  safety  and  security  manager  for  Lucas  Digital,  the 
other  an  executive  coach— have  agreed  to  spend  a  full  day  together  here. 
The  purpose  of  the  meeting,  which  was  arranged  by  CSO,  is  to  help  Anders 
Noyes,  the  security  manager,  sharpen  his  leadership  skills  during  an 
important  transition:  Noyes  is  being  promoted  in  January  2005  to  the 
newly  created  role  of  CSO  of  Lucasfilm,  the  parent  company  of  Lucas 
Digital  and  ILM. 

Think  of  it  as  an  episode  for  a  TV  series,  Coach  Eye  for  the  CSO  Guy. 
Noyes  is  starring  in  the  role  of  willing  volunteer  who’s  put  himself  in  the 
hands  of  a  local  expert,  seasoned  executive  coach  Jeff  Rosenthal.  Readers 
and  viewers  can  tune  in  for  a  glimpse  into  how  the  executive  coaching 
process  can  help  an  emerging  CSO  become  a  stronger,  more  effective 
leader. 


Q  Create  a  transition  strategy  to  go 
from  leading  a  local  business  struc 
ture  to  leading  a  global  operation. 

3)  Develop  a  communication  strategy 
that  demonstrates  the  value  of 
security  functions  to  various 
divisions  and  departments. 

]  Discuss  ways  to  strengthen  his 
professional  skills  in  C-level 
communications  and  concerns. 

[]  Talk  about  how  to  enhance  his 
leadership  skills. 


Big  Challenges 

Noyes  is  stepping  into  his  new  role  at  a  crucial  time  for  Lucas.  The  com¬ 
pany  is  moving  next  year  into  a  new  complex  called  the  Letterman  Digi¬ 
tal  Arts  Center,  located  in  the  Presidio,  a  national  park  and  national 
historic  landmark  district  just  north  of  the  Golden  Gate  bridge.  The  cen¬ 
ter  will  bring  together  Lucasfilm,  the  corporate  parent;  LucasArts,  which 
creates  entertainment  software  for  consumers;  and  ILM.  (The  center  will 
also  host  outside  tenants.) 

This  move  is  Noyes’s  primary  concern.  ‘They’re  all  coming  together  in 
two  buildings,  so  there’s  a  potential  culture  clash,”  he  says.  The  Letterman 
center  will  also  be  open  to  the  public,  which  means  employees  will  be  mov¬ 
ing  from  relatively  sequestered  offices  to  a  complex  w  here  they  have  to  be 
more  aware  of  issues  such  as  access  control. 

Noyes  will  also  be  wearing  a  new  global  hat.  He’ll  be  responsible  for 
security  at  the  company’s  new  digital  animation  studio,  Lucasfilm  Ani¬ 
mation  Singapore,  a  partnership  with  the  Singapore  Economic  Develop¬ 
ment  Board.  In  that  role,  he’ll  need  to  work  with  law  enforcement  agencies 
in  that  country  and  deal  with  intellectual  property  issues. 

The  scope  of  his  job  will  increase  as  well.  After  his  promotion,  Noyes’s 
responsibilities  will  include  physical  and  information  security,  IP  protec¬ 
tion  and  investigation,  risk  assessment,  workplace  violence  prevention 
programs,  location  security  for  productions,  and  consulting  with  third- 
party  tenants  on  the  campuses.  Noyes  will  have  about  60  direct  reports 
instead  of  just  six. 


December  2004  www.csoonline.com  39 


A  CSO  Is  Born 

After  going  over  Noyes’s  goals  and  challenges, 
Rosenthal  settles  into  his  Aeron  chair  and 
changes  gears.  “I'd  like  to  switch  now  to  get¬ 
ting  to  know  you,  as  both  a  person  and  a 
leader,”  he  says.  The  meeting  takes  on  the  tone 
of  a  therapy  session,  ■with  Noyes  talking  about 
his  background  much  as  a  patient  might  upon 
visiting  a  psychologist  for  the  first  time. 

When  Noyes  graduated  from  high  school  in 
1985,  his  parents  knew  they  couldn’t  afford 
to  send  both  him  and  his  younger  brother  to 
college,  so  Noyes  joined  the  workforce, 
answering  phones  as  a  public  safety  dispatcher 
in  San  Francisco.  Soon  he  became  a  police 
officer,  patrolling  the  city  of  Pacifica,  just  south 
of  San  Francisco. 

When  Rosenthal  asks  him  to  think  about 
his  defining  moments  from  those  years,  Noyes 
explains  that  he  has  always  played  the  role  of 
protector.  When  he  was  four  years  old,  he 
helped  play  peacemaker  between  his  mother 
and  his  younger  brother,  who  was  tossing  the 
family’s  kittens  in  the  air.  In  high  school,  he 


cooled  down  confrontations  between  his 
friends  and  others.  On  the  police  force,  he 
won  awards  for  his  work  in  schools  and  the 
community  on  preventing  child  abuse. 

But  after  12  years  as  a  police  officer,  Noyes 
hurt  his  back  bending  over  to  collect  evidence 
during  a  marijuana  bust.  The  injury  forced 
him  into  a  desk  job  and,  eventually,  off  the 
force.  “It  was  disappointing  because  that  was 
my  whole  world,”  he  recalls.  “The  force  had 
become  my  second  family.” 

After  a  brief  stint  with  his  father’s  business, 
Noyes  took  a  job  in  1999  as  head  of  loss  pre¬ 
vention  at  the  Sony  Metreon,  a  shopping  and 
entertainment  complex  in  San  Francisco.  Two 
years  later,  looking  for  a  new  challenge,  Noyes 
became  director  of  museum  security  services 
at  the  city’s  Asian  Art  Museum.  There,  Noyes 
says  with  uncharacteristic  swagger,  he  helped 
build  one  of  the  top  museum  security  organ¬ 
izations  in  the  country. 

In  April  2004,  he  left  the  museum  and 
joined  ILM,  where  he  currently  reports  to  the 


director  of  corporate  real  estate  operations 
for  Lucas  Digital.  Upon  his  promotion,  he’ll 
report  to  Angelo  Garcia,  director  of  Lucas  Real 
Estate  Holdings,  which  oversees  all  of  the 
company’s  properties. 

Feedback  Time 

It’s  time  for  Rosenthal  and  Noyes  to  pore  over 
the  leadership  assessment  report,  a  compila¬ 
tion  of  feedback  Rosenthal  has  gathered  from 
eight  of  Noyes’s  peers  and  direct  reports.  The 
bottom  line:  His  cohorts  rate  him  quite  favor¬ 
ably  in  nearly  every  category.  On  the  1-7  scale 
used  to  rate  his  strengths  (l  being  lowest), 
Noyes  hovers  around  a  6  on  the  leadership 
categories  used  in  the  survey.  That  makes  for 
a  little  less  drama  in  the  day’s  session.  If  Noyes 
had  received  some  lower  scores,  there  might 
have  been  an  opportunity  for  more  interesting 
probing.  (“Why  do  you  think  your  peers  gave 
you  a  2.5  for:  demonstrates  business  compe¬ 
tence?”)  But  Rosenthal  does  zero  in  on  a  cou¬ 
ple  of  categories  in  which  Noyes’s  peers  rated 
him  higher  than  he  rated  himself. 

For  example,  in  the  category  of  “internal 
attunement,”  which  includes  self-awareness 
and  having  “the  confidence  to  assert  [one’s] 
own  views  and  challenge  ideas  or  decisions 
based  on  personal  passion  or  conviction,”  oth¬ 
ers  gave  Noyes  a  5.8,  but  he  gave  himself  only 
a  5.2.  Rosenthal  wants  to  know  why. 

“It’s  always  been  a  conflict  for  me,  from  the 
police  up  until  now,”  Noyes  says.  “For  example, 
as  an  officer,  you  have  to  enforce  laws  you  don’t 
always  agree  with.”  He  says  that  he  sometimes 
may  not  agree  with  a  decision  or  plan,  but  he 
goes  along  and  makes  the  plan  actionable  for 
his  staff  because,  well,  that’s  his  job. 

“With  the  title  you’re  going  to  have  and  the 
role  you’re  going  to  play,  [other  executives]  are 
going  to  expect  you  to  not  just  enforce  the 
law;  you’ll  be  writing  it,”  Rosenthal  tells 
Noyes.  “I  would  assume  they’ll  be  looking  to 
you  to  lead  the  way  when  the  way  hasn’t  been 
led  before.” 


Thanks,  Coach 

In  a  recent  survey,  senior  executives  listed  the 
following  benefits  of  executive  coaching: 

77%  Improved  relationships  with  subordinates 
71%  Improved  relationships  with  supervisors 
67%  Increased  teamwork  among  workers 
63%  Improved  relationships  with  peers 
61%  Greater  job  satisfaction 
53%  Improved  productivity  from  employees 
48%  Higher  quality  work  from  employees 
48%  Strengthened  the  organization 

SOURCE:  “ROI  FOR  EXECUTIVE  COACHING,"  RIGHT  MANAGEMENT  CONSULTANTS 


s 


a 


40  www.csoonline.com  December  2004 


INFOSEC 


APRIL  4-6,  2005  ORLANDO FL 
DISNEY'S  CORONADO 
SPRINGS  RESORT 

Optional  Workshops  April  2,  3,  6,  7  &8 
Vendor  Expo  April  4  8t  5 


Special 

Early-Bird  Offer! 

Register  for  InfoSec  World 
by  December  1 7,  2004,  and 
you  get  $100  OFF  the 
conference  registration  fee! 

This  offer  cannot  be  combined 
with  other  discounts. 


TM 


CONFERENCE  &  EXPO  2005 


COVERS  EVERY  ANGLE  OF  SECURITY! 

Whether  you  want  to  learn  about  the  latest  cyber 
threats,  discover  where  and  how  physical  and  IT 
security  intersect,  get  a  better  handle  on  hacking 
techniques,  or  learn  how  top  organizations  have 
successfully  implemented  information  security 
programs,  InfoSec  World  2005  has  it  all!  Featuring 
case  studies,  demos,  and  hands-on  exercises,  the 
conference  delivers  the  complete  package  of  over 
90  focused  sessions. 


Keynote  Speakers 

Roger  W.  Cressey 


■Ivf 


3rd  Annual  CISO 
Executive  Summit 


NBC  Counterterrorism 
k  Analyst  and  Former 
|  Presidential 
' A 


Bob  Woodward 


Pulitzer 
Prize- 
Winning 
’journalist, 

^  Assistant 
Managing  Editor * 
of  Investigative  News,  ■ 
The  Washington  Post 


Richard  Thieme 


Prominent 

American  techno-philosopher, 
j  author,  and  one  of  the  most 
visible  commentators  on 
technology  and  society 


This  intensive  one-day  program  on  Sunday,  April 
3,  is  designed  exclusively  for  IT  security  thought 
leaders.  Featuring  high-profile  experts,  a  target¬ 
ed  agenda  and  a  wealth  of  opportunity  for 
networking,  this  unique  day  is  guaranteed  to 
be  enriching  and  inspiring.  To  register 
go  to  www.misti.com/ciso 


The  Infosec 
World  Expo’" 

The  gathering  place  for 
hundreds  of  cutting- 
edge  IT  security 
vendors,  the  Expo  offers 
the  very  latest  in  products 
and  technologies  to  help  you 
maximize  your  controls  and 
minimize  your  vulnerabilities.  Make 
sure  you're  there  to  get  up-to-date 
on  the  latest  tech  trends,  view 
demos,  make  new  business  contacts, 
and  take  home  free  gifts,  plus  you'll 
have  the  chance  to  win  big  prizes! 


Register  todayatWWW.MISTI.COM/INFOSECWORLD 


/ 


MIS 


TRAINING 

INSTITUTE 


PLATINUM  SPONSORS 

BBS  ®  & 

“BW  qualys  CITADEL 

V^UnL  I  kJ  SECURITY  SOFTWARE 


2005  MEDIA  SPONSORS 


mm*r+.x+wn  w- 


S  E  C  U  R  I  T  Y,M 


Computer 

society 


(ISC)1 


SUSINfSS  UtCHNCXOGV 


(ommunkationsNews 


WEEK 


www.net-securlty.org 


Self-Improvement 

i 

Rosenthal  brings  up  the  leadership 

notion  of  being  either  a  thermometer  or  a 
thermostat.  Perhaps  Noyes  is  more  prone  to 
measuring  other  people’s  feelings  and 
reflecting  them— acting  as  a  thermometer— 
because  of  his  propensity  to  play  referee  or 
peacemaker.  (Think  back  to  Noyes’s  inter¬ 
vening  between  his  mother  and  brother.) 
Noyes  may  want  to  become  more  of  a  ther¬ 
mostat  in  his  new  position— that  is,  making 
his  point  of  view  known  and  pushing  back 
on  decisions  he  does  not  agree  with. 

“I  would  be  pushing  you  more  on  the  side 
of  the  leadership  role,”  Rosenthal  says.  “And 
if  people  say,  Whoa!  back  off,  that’s  better 
than  them  saying,  Hey,  he  should  be  doing 
more.’”  Noyes  nods  in  agreement. 

Rosenthal  asks  Noyes  to  name  the  things 
he  found  most  and  least  surprising  in  the 
assessments.  Noyes  says  that  he  was  least 
surprised  by  his  high  ranking  in  integrity,  a 
trait  he  values  strongly  in  himself  and  one  he 
believes  is  critical  to  good  leadership.  He 
was,  however,  surprised  that  others  didn’t  rate 
him  as  low  as  he  rated  himself  in  terms  of 
challenging  the  decisions  made  by  others  (5.5 
instead  of  4). 

Rosenthal  gives  kudos  to  his  client  for  his 
6.8  score  in  the  “demonstrates  admirable 
character”  category.  “If  I  had  to  pick  one  thing 
to  be  best  at,  that’s  it,”  he  says.  “That’s  an 
extremely  high  score;  that’s  90  percent  of 
being  able  to  do  a  good  job.  Everything  else  is 
window  dressing  compared  to  that.” 

The  Action  Plan 

It’s  the  end  of  the  afternoon.  One  couldn’t 
fault  Noyes  if  he  was  beginning  to  show  signs 
of  fatigue;  after  all,  a  lot  of  self-examination 
has  been  crammed  into  a  single,  turbocharged 
day.  (Typically,  Rosenthal  wouldn’t  cover  so 
much  ground  in  one  day.  For  example,  at  this 
point  in  the  session,  he  would  schedule  a  time 
to  observe  the  client  giving  a  speech  or  go 
over  e-mails  or  voice  mails  the  client  had 
sent.)  But,  if  anything,  Noyes  seems  energized 


The  Results 

At  the  end  of  the  day,  executive 
coach  Jeff  Rosenthal  summarized 
the  transitions  the  new  CSO  needs  to 
make: 

Q  One-on-one  relationships  to  team 
relationships 

Q  Peacemaker  to  policy-maker 
Q  One  culture  to  multiple  cultures 

]  Limited  C-level  interaction  to 
broad  and  higher-level  interaction 

Q  Modest  expectations  of  staff  to 
higher  standards 

National  to  international 

Q  Interpreting  company  culture  to 
reinforcing  and  creating  company 
culture 

[J  Getting  compliance  to  getting 
commitment 


as  Rosenthal  moves  right  into  the  action 
plan— things  Noyes  can  do  to  prepare  for  his 
new  CSO  role  and  help  him  achieve  the  objec¬ 
tives  he  outlined  prior  to  the  day’s  meeting. 

To  make  the  transition  from  a  local  to  a 
global  role,  Rosenthal  suggests  networking 
with  other  CSOs  in  international  companies 
and  learning  more  about  doing  business  in 
Asian  cultures,  specifically  Singapore.  To 
develop  a  communication  strategy,  he  tells 
Noyes  to  draft  a  15  minute  to  30  minute 
speech  to  deliver  to  the  senior  management 
team  in  his  first  two  weeks  as  CSO,  laying  out 
his  core  themes  and  goals  for  the  CSO  role. 
“Write  it  as  if  you’re  going  to  do  it,”  says 
Rosenthal.  The  goal  of  the  speech  is  to  get 
the  business  execs  to  understand  the  value  of 
the  security  function,  “to  walk  out  saying,  I  get 
it;  I’m  fired  up,”  he  says. 

He  also  thinks  Noyes  should  draft  a  com¬ 
munication  to  present  to  the  security  team  in 
the  first  week  of  his  new  role.  “Say,  This  is 


BSSSBSBB 

who  I  am,  what  I’m  hoping  to  do,  my 
vision.  You  have  a  role  in  [security]; 
it’s  not  my  way  or  the  highway,”  Rosen¬ 
thal  advises. 

Postscript 

A  week  after  the  meeting,  CSO  followed 
up  with  Noyes  to  get  his  feedback  on  the 
coaching  session.  His  verdict:  a  big 
thumbs-up.  Most  valuable,  he  says,  was 
the  list  of  transitions  he  needs  to  make. 
(See  “The  Results”  on  this  page.) 

“It  points  to  the  key  goals  I  want  to 
achieve  over  the  next  few  months,”  he 
says,  adding  that  he’s  also  forming 
strategies  on  how  to  get  there,  including 
drafting  the  two  speeches.  When  fin¬ 
ished,  Noyes  plans  on  sending  them  to 
Rosenthal  for  comment. 

Noyes  also  found  the  leadership 
assessment  report  especially  valuable.  “I 
assumed  I  would  rate  myself  higher 
than  others,”  he  says.  “To  find  that  the 
scores  were  close  was  gratifying  and  helped 
me  think  that  maybe  I’m  projecting  what  I 
think  I  am.” 

As  for  whether  he’ll  continue  using  Rosen¬ 
thal  as  a  coach,  Noyes  sounds  a  positive  note. 
After  he  sends  him  the  speeches,  Noyes  plans 
on  talking  with  Rosenthal  about  the  possibil¬ 
ity  of  continuing  their  newly  formed  relation¬ 
ship.  Certainly  costs  will  be  a  part  of  that 
discussion.  Rosenthal  says  the  daily  rate  for 
coaches  ranges  from  $2,500  to  $10,000, 
adding  that  most  charge  between  $2,500  and 
$5,000.  Noyes  says  the  session  was  valuable  to 
him  personally,  and  he  hopes  to  translate  that 
value  to  the  company. 

So  would  Noyes  recommend  a  coach  to 
other  CSOs?  Definitely— if  they  think  they’re 
the  right  fit. 

“It  goes  along  with  your  personality  type  to 
some  extent,”  he  says.  “You’ve  got  to  be  look¬ 
ing  to  better  yourself.”  1$^ 


Senior  Editor  Todd  Datz  can  be  reached  at  tdatz@cxo.com. 


FOR 

MORE 

INFO 


International  Coach  Federation 

www.coachfederation.org 

A  nonprofit  global  professional  associa¬ 
tion  that  offers  a  referral  service. 


The  Coaches  Training  Institute 

www.thecoaches.com 

An  educational  group  that  offers  a 
find-a-coach  service. 


Coachlnc.com 

www.coachinc.com 

A  group  of  companies  that  also  offers 
an  executive  coach  search  service. 


42  www.csoonline.com  December  2004 


a  Winner 


[But  you  already  knew  that,  didn’t  you?] 


CSO  is  again  the  proud  recipient  of  honors  at  the 
prestigious  2004  Jesse  H.  Neal  Awards.  CSO  was 
honored  with  four  awards  including  Best  Single  Article 
and  Best  Single  Issue.  CSO  was  also  honored  as  second 
runner-up  to  sister  publication  CIO  magazine  for  the 
Grand  Neal  Award— the  top  editorial  honor  granted  to 
one  publication  from  almost  1,300  entries  across  all 
categories  and  circulation  sizes. 


The  Neal  Award  judges  aren’t  the  only  ones  who  value 
CSO  magazine.  CSOs  choose  CSO  magazine  as  the 
publication  most  relied  on  for  security-related  strategies 
and  best  practices* 


NOW  THAT’S  WHAT  WE  CALL  AN  AWARD! 


Often  hailed  for  its  preeminence  as  the 
“Pulitzer  Prize  of  the  business  press,”  the 
Neal  Award  is  the  business  publishing  indus¬ 
try’s  annual  salute  to  individual  editors  for 
outstanding  editorial  excellence. 


The  Resource  for 
Security  Executives 


*  SOURCE:  CSO  READER  PROFILE  STUDY,  RESEARCH  RESULTS, 
OCTOBER  2003. 


TlT  v 

Ji  S 
f  a£ 

tj  i/i  w 

§  £  >> 

L  «  II 

oi  a  > 

JB  (0  '3i 

i  -E  I 

Ji  <u  a 

E  a-  E 

0)  -  .s 

01  fll 

1  >:  - 

10  01  o 

U  X  o 

5  5  * 

E  S  s 

^  o  Ml  2- 

*5  ^ 


3 

E 

■m  £  - 

2  ■=  To 

C  01  c 
E  JO  o 
o  5  5 
«  E  J 
-  ±*  «£ 
■  M  O 

"  !5  a 
5  "D  0) 
■o 
0) 

M 

3 

(0 
* 


5  E 

£  ° 
Ml  1. 

•M  01 

ra  M 


0)  £  E 

g  -S  2 

s  - 

ra  n 

£  -M 

u  *« 
S  n 
=  £ 
Q.  4* 

Yl  <A 
(0  0) 

■=  E 
a»  ra 
•o  ■=  £ 

1  -s  ? 

%  !  i 

S  ■**  £ 

5.11 


ra 

o 

.a 

0) 

£ 

4* 

O 

4* 

J5 

■o 

e 

ra 


ra 


I 


gleg 

Wte 

(Q| 


ra 
_  w 
ra  ra 


BEjEg  E  S 


J2S|‘SH 


O  K  EiB  s£  M'C 
o  o  *“**  raj-  >r“  a) 

—  XJ^jS  Bfk.  S^DQ 

ra  mss 


-  {StSTJ  1_-3  =  .^-5- 

^  §"E  2  oil  ra-Q  R 

3  =  0  £  J5  Qllc  >, 


S=QQ 


BEFORE:  “I  never  said,  Let’s  change  my  image, 
says  Schmidt.  “This  wasn’t  that  deliberate.” 


•  ‘  ,r'’i  v?-^V.v 

' 


December  2004  ■' wwW.csoonlme.com 

■  ■  I 


Some  companies  are  so  serioi  is 
about  security,  they  try  to  make 
it  part  of  their  corporate  image 
By  Malcolm  Wheatley 


CITIGROUP 

Fights  Identity  Theft 

In  February  2003,  Derek  Bond,  a  72-year-old 
retiree  from  Bristol,  England,  spent  three 
weeks  sleeping  on  the  concrete  floor  of  a  South 
African  jail  after  his  name  and  passport  num¬ 
ber  showed  up  on  an  FBI  wanted  list  as  he 
arrived  in  the  country  for  a  vacation.  In  vain, 
he  protested  that  not  only  was  he  ignorant  of 
any  supposed  crimes  he’d  committed  in  Amer¬ 
ica,  but  he’d  never  even  been  to  the  country. 
Release  didn’t  come  until  the  publicity  sur¬ 
rounding  his  fate  prompted  an  informant  to 
point  the  FBI  to  the  “Derek  Bond”  whom  they 
did  want  to  talk  to— comfortably  holed  up  in 
Las  Vegas,  after  purloining  the  identity  of 


If  the  challenge  for  CSOs  is  to  market 

themselves— and  the  security  message— more 
effectively,  then  surely  the  companies  below 
must  represent  the  end  goal.  Citigroup, 
Microsoft,  OnStar  and  El  Al  are  so  security¬ 
conscious  that  they’ve  all,  in  one  way  or 
another,  incorporated  it  into  their  brand 
image.  Translation:  They  advertise  security  or 
otherwise  make  it  part  of  the  message  they 
present  to  customers  and  business  partners. 
Look  closely,  though,  and  you’ll  find  that  these 
companies  share  a  common  goal:  to  create  a 
sense  of  trust  for  their  customers— while  being 
careful  not  to  overpromise. 


46  www.csoonline.com  December  2004 


ILLUSTRATION  BY  TERRY  ALLEN 


COMMERCIAL 

APPEAL 

dentity  theft  prevention  makes 
t  big  on  the  small  screen: 
Idweek  magazine  named 
litigroup’s  humorous  TV 
spots  as  2003’s  advertising 
:ampaign  of  the  year. 


Marketing  Security 


December  2004  www.csoonline.com  47 


the  real  Mr.  Bond  some  14  years  before. 

Bond’s  misfortune  illustrates  — to  the 
extreme— the  menace  of  identity  theft.  But 
it’s  not  jail  time  that  worries  people  so  much 
as  impaired  credit  records  and  fraud.  Armed 
with  just  a  few  pieces  of  information— infor¬ 
mation  readily  available  from  trash  or  stolen 
documents— identity  thieves  can  take  advan¬ 
tage  of  lax  security  at  financial  institutions  to 
enrich  themselves. 

Not  if  Citigroup  can  help  it,  says  Ronni 
Burns,  director  of  business  practices  for  Citi 
Cards,  the  group’s  credit  card  arm.  In  1991, 
she  says,  Citi  was  among  the  first  card  issuers 
to  offer  its  customers  early  warning  of  fraud, 
by  programming  computers  to  spot  suspicious 
transactions.  And  in  1992,  Citi  followed  this  by 
being  the  first  major  card  issuer  to  include 
customers’  photographs  on  cards. 

Most  recently,  Citi  has  bolstered  its  identity- 
theft  prevention  offerings  with  a  personalized 
solution  that  involves  trained  counselors  pro¬ 
viding  support  to  victims.  In  the  event  that  a 
customer’s  identity  is  stolen,  explains  Burns, 
a  single  Citi  representative  is  assigned  to  the 
case  to  help  customers  identify  the  fraudu¬ 
lent  transactions,  fill  in  the  various  police 
forms,  notify  credit  bureaus  and  generally  get 
their  lives  back  on  track. 

A  high-profile  advertisement  campaign  to 
launch  the  service  has  certainly  caught  the  imag¬ 
ination  of  both  consumers  and  the  advert  ising 
industry.  Victims  are  shown  on  screen  going 
about  their  everyday  activities— but  the  voice 
coming  from  their  mouths  is  that  of  the  thief, 
who  is  usually  describing  what  he  did  with 
the  money  he  stole. 

The  television  advertising  spots  were 
named  2003’s  advertising  campaign  of  the 
year  by  Adweek  magazine,  and  also  won  an 
Emmy.  “The  person  you  see  on  screen  and  the 
voice  you  hear  are  very  disconnected,  as  are 


the  topics  being  discussed,”  says  David  Sigel, 
group  account  director  at  Fallon  Worldwide  of 
Minneapolis,  which  dreamed  up  the  ads.  “It’s 
veiy  funny— but  very  vividly  brings  identity 
theft  to  life.” 

At  Citi,  Burns  concedes  that  it’s  difficult  to 
determine  the  number  of  new  customers  the 
service  has  brought  the  bank.  “In  terms  of 
fraud  detection,  our  customer  satisfaction  rat¬ 
ings  are  extremely  high,  and  amazingly  high  in 
terms  of  the  identity  theft  solution— which  is 
usually  a  good  leading  indicator  of  new  busi¬ 
ness,”  she  says. 

MICROSOFT 

Aims  for  Trustworthiness 

Curiously,  one  of  the  biggest  developments  in 
Microsoft’s  history— and  certainly  one  that  is 
intended  to  have  an  enormous  impact  on  its 
customers— isn’t  being  marketed  yet.  Or  at 
least  not  in  the  direct  manner  that  Citigroup 
is  using. 

While  Microsoft  does  actively  promote 
some  security-related  products  (including 
through  advertisements  in  CSO ),  “Trustwor¬ 
thy  Computing,”  as  the  company  christens  it, 
deliberately  isn’t  mentioned  in  the  company’s 
advertising.  “There  is  no  advertising  around 
Trustworthy  Computing  at  all,”  insists 
Microsoft  spokeswoman  Nicole  Miller.  “As 
far  as  I  can  recall,  there  hasn’t  been  a  single 
press  release  on  the  subject.”  The  company 
does,  of  course,  provide  a  website  that  explains 
the  initiative,  and  a  quick  Google  search  wall 
turn  up  plenty  of  Microsoft  quotes  discussing 
the  initiative  in  the  media.  The  initiative  stems 
from  Chairman  Bill  Gates’  well-publicized 
leaked  edict  to  Microsoft’s  50,000  employees  in 
January  2002.  After  a  turbulent  period  during 
which  security  loophole  after  security  loop¬ 


hole  was  found  in  the  company’s  products, 
Gates  was  forced  to  recognize  the  adverse 
impact  on  Microsoft’s  reputation.  From  here 
on,  he  insisted,  security  was  job  number  one. 
“Flaws  in  a  single  Microsoft  product.. .not  only 
affect  the  quality  of  our  platform  and  services 
overall,  but  also  our  customers’  view  of  us  as 
a  company,”  Gates  wrote.  “We  can  and  must 
do  better.” 

But  how  much  better?  Well,  Gates  pointed 
to  the  local  phone  company  as  the  role  model: 
Security  should  be  as  reliable  as  the  telephone 
system’s  dial  tone.  But  to  Gates,  customers’ 
perceptions  of  Microsoft  were  far  from  allow¬ 
ing  the  company  to  include  itself  in  the  same 
category.  A  long-term  mission,  dubbed  the 
Trustworthy  Computing  Initiative,  was  hence¬ 
forth  under  way  to  redeem  Microsoft’s  brand 
and  image  in  the  eyes  of  its  customers. 

A  little  short  of  three  years  later,  Microsoft 
is  still  hesitant  to  portray  itself  as  now  trusted 
and  secure.  The  company  talks  about  security', 
sure.  Windows  XP  Service  Pack  2,  says 
Microsoft’s  Miller,  is  promoted  “because 
Microsoft  feels  that  it  provides  better  protec¬ 
tion  for  its  customers.”  But  Trustworthy  Com¬ 
puting  itself  is  still  a  long  way  from  victory. 

In  fact,  says  Chief  Security  Strategist  Scott 
Charney,  who  describes  the  initiative  as  “very' 
much  a  work  in  progress,"  Microsoft  has  had 
to  apply  strong-arm  tactics  to  software  ven¬ 
dors  who  have  built  Microsoft  technologies 
into  their  products:  They  are  not  to  make 
claims  that  aren’t  yet  matched  by  the  reality 
that  Gates  wants  to  see.  “We’ve  told  vendors 
not  to  put  out  advertisements  saying  that  you 
can  have  a  secure  environment  on  a  Microsoft 
platform,  because  we’re  just  not  there  yet,” 
says  Charney. 

Nor  will  those  vendors  be  making  such 
claims  anytime  soon.  According  to  Charney, 
Trustworthy  Computing  is  a  root-and-branch 


Marketing  Security 


EL  AL’S  REVERSE  BRANDING 

THE  ISRAELI  AIRLINE  HAS  AN  UNUSUAL  PROBLEM: 
TRYING  TO  EXPAND  ITS  IMAGE  BEYOND  SECURITY 


For  years,  El  Al  didn't  even  mention  security  in  its  marketing  mes¬ 
sages.  There  was  no  need  to:  The  airline’s  attitude  toward  security 
was  legendary,  and  if  you  were  flying  El  Al,  you  knew  all  you  needed 
to  about  its  meticulous  approach.  Most  airlines,  for  example,  surely 
would  have  missed  the  pregnant  Irish  woman  in  1986 
who  was  attempting  to  board  a  flight  from  London  to 
Tel  Aviv.  Several  pounds  of  explosives  had 
been  secretly  sewed  into  her  handbag  wv* 

(unbeknownst  to  her)  by  her  Jordanian 
boyfriend,  and  were  rigged  to  explode  when 
the  flight  was  airborne.  But  El  Al  noticed. 

So  its  branding  revolved  around  other  messages.  “El  Al  in  English 
means  ‘taking  off,'  or  ‘going  up,'  and  for  years  the  airline  relied  on  a 
Hebrew  tagline  that  translates  roughly  as  ‘The  heart  taking  off,’  says 
Shahar  Silbershatz,  an  Israeli  citizen  who  is  managing  director  of 
London-based  brand  consultancy  Karakter,  and  who  in  the  past  has 


worked  on  the  El  Al  account,  advising  the  airline  on  brand  issues 
and  marketing.  Another  brand  message  aimed  to  position  the  air¬ 
line  as  the  "loyal”  way  to  arrive  in  Israel,  he  explains,  employing  a 
tagline  that  translates  as  “Coming  home.” 

Post-9/11,  with  the  airline  being  readied  for  privatization- 
involving,  among  other  things,  a  stricter  approach  to  profitability — 
the  marketing  message  changed.  In  the  summer  of  2002,  explains 
Silbershatz,  El  Al  rolled  out  its  new  tagline,  which  translates  as  “Not 
just  because  of  security.”  It’s  a  message  that  tries  to  deflect  the 
downside  of  having  a  strong  reputation  for  security:  While  there  was 
no  doubt  about  the  airline's  commitment  to  safety,  there  was  doubt 

in  consumers’  minds  about  its  commitment  to 
other  aspects  of  the  in-flight  experience. 

“For  better  or  worse,  El  Al  shares  a  lot  of  the 
characteristics  of  the  Israeli  national  identity: 
Safety  and  security  are  paramount,” 
Silbershatz  says. 

That  means  things  like  in-flight  service  and 
catering  are  of  secondary  importance.  But 
according  to  Silbershatz,  experienced  passengers  (including  Sil¬ 
bershatz  himself,  thanks  to  regular  business  trips  back  to  Tel  Aviv) 
don't  mind  too  much.  The  service  may  be  a  little  rough  at  times,  he 
says,  but  the  welcome  is  warmer  than  it  first  appears.  “El  Al  is  a  little 
like  Israel's  famous  cactuslike  sabra  fruit,”  he  says.  “The  people  are 
prickly  on  the  outside,  but  a  lot  friendlier  once  you  get  to  know  them.” 

-M.W. 


reform  of  the  way  the  company  conceives, 
designs  and  codes  its  products.  Some  prac¬ 
tices  were  probably  long  overdue:  a  central 
database  logging  every  alteration  to  a  prod¬ 
uct’s  code,  for  example.  But  the  biggest  trans¬ 
formation  has  been  the  decision  to  adopt  what 
Charney  describes  as  a  “security  development 
lifecycle”— building  security  into  a  product 
from  conception,  rather  than  through  repeated 
testing  and  debugging. 

“We’ve  changed  the  way  that  we  develop 
code:  We  first  develop  threat  models  that  look 
at  how  that  code  might  be  attacked— and  then 
we  build  responses  to  those  threats  into  the 
code,”  he  says.  “It’s  systemic,  rather  than  try¬ 
ing  to  fix  individual  bugs.” 

No  product  has  yet  gone  through  the  whole 
process,  but  Charney  offers  some  evidence 
that  products  being  released  today  (which 
have  gone  though  at  least  part  of  the  process) 
have  a  much  improved  security  performance. 
Windows  Server  2000,  for  example,  had 
42  distinct  security  flaws  announced  in  the 
first  year  of  release.  Windows  Server  2003, 
however,  had  just  14.  That’s  a  data  point  that 
might  show  the  way  to  a  transformed  brand 


and  image  for  a  company  that  sorely  needs  to 
get  the  security  religion. 


ONSTAR 


Sells  Peace  of  Mind 

If  you’re  going  to  set  up  in  business  as  a 
guardian  angel,  you’d  better  be  a  guardian 
angel  that  people  trust.  That,  in  a  nutshell,  is 
the  brand  challenge  facing  OnStar,  the  in-car, 
cell-phone-based  driver  assistance  service. 
Lost  and  confused,  in  an  auto  wreck,  broken 
down  or  needing  any  other  kind  of  assistance? 
Press  the  OnStar  button  in  your  car  and  a 
friendly  voice  will  answer,  ready  to  assist  you. 

“Key  to  the  promise  of  the  brand  is  that  a 
real,  live  person  will  share  your  problem  and 
help  resolve  it,”  says  Andrew  Young,  director 
of  marketing  at  Detroit-based  OnStar,  who’s 
been  with  the  business  since  its  inception  in 
1996.  “They’ll  make  connections,  find  infor¬ 
mation  and  help  you.” 

The  help  depends  on  the  nature  of  the 
problem.  OnStar  is  careful  to  avoid  over¬ 
promising,  says  Young,  and  tries  hard  to  make 


sure  that  subscribers  understand  the  limita¬ 
tions  of  the  service.  “We’ve  tried  to  be  very 
honest  in  how  we  market  the  service  and  build 
the  brand,”  he  says.  “We  are  a  significant 
enhancement  to  someone’s  security  and  safety, 
but  we’re  not  100  percent.  We  don’t  own  the 
wireless  networks,  we  need  an  electrical  sup¬ 
ply  in  the  vehicle,  and  we  don’t  have  a  roadside 
capability  of  our  own.  We’re  an  interface 
between  the  consumer  and  third-party  service 
providers.  We  provide  peace  of  mind.” 

That  said,  OnStar  is  astute  in  pointing  out 
what  it  can  do— especially  when  that  high¬ 
lights  what  others  can’t  do.  Often  that  boils 
down  to  OnStar’s  marriage  of  cell-phone 
telephony  with  GPS  satellite  navigation  capa¬ 
bilities.  When  you’re  lost,  for  example,  two 
critical  pieces  of  information  are  (1)  where  you 
are  and  (2)  the  directions  for  getting  back  on 
course.  As  Young  observes,  if  there’s  no  one 
around  to  tell  you— or  if  you’re  in  the  sort  of 
location  where  getting  out  and  asking  seems 
inadvisable— then  OnStar  is  a  perfect  solution. 

Likewise,  he  adds,  dialing  911  in  an  emer¬ 
gency  is  all  very  well  and  good,  but  how  does 
the  dispatcher  know  where  you  are?  Minutes 


48  www.csoonline.com  December  2004 


The  ROI  of 

STORAGE 

Strategies 

for  Getting  the 

Most  Out  of  Your 

Storage 
Management 

Investment 


New  Kinds  of  Networks  •  Backup  and  Recovery 
Enterprise  Solutions  •  Real-World  Payoffs 


cso 

ffin 

Custom  Publishing 
Advertising  Supplement 


The  right  storage  solution 
doesn't  just  give  you  better 
storage  control.  It  helps  you  make 
better  business  decisions. 

Storage  Management  Solutions 

The  first  step  in  making  better  business  decisions?  Deciding  to  be  in  control. 
CA's  Intelligent  Storage  Management  solutions  can  put  you  in  control  of  costs, 
resources  and  data  availability  like  never  before.  They  provide  you  with  a 
comprehensive  real-time  view  of  your  system's  storage  capabilities,  while  also 
providing  immediate  access  to  all  of  your  information.  As  a  result,  you  can 
manage  and  monitor  your  entire  storage  environment  with  ease  and  actually 
use  existing  data.  As  always,  it's  also  vendor-  and  device-neutral,  so  you  can 
maximize  your  current  storage  resources,  saving  time  and  money.  With  more 
automated  software  that  can  make  its  own  decisions  about  storage 
management,  you'll  have  the  information  you  need  to  make  better  business 
decisions.  To  find  out  more  or  to  get  a  white  paper,  go  to  ca.com/driver. 


Computer  Associates 


ADVERTISING  SUPPLEMENT 

StDtKIC 

Mims 

NOVEMBER  15,  CIO/DECEMBER  CSO 
VOLUME  6,  NUMBER  4 


6  Start  with  a  Strategy 


8  Coping  with 
Complexity: 
Enterprise  Storage 
Management 
Solutions 


1 2  Storage  as  Utility 


1 4  New  Kinds  of  Storage 
Networks 


1 8  Reliable  Backup  and 
Recovery  Solutions 


agenda 

The  Storage  Stoiy 

BEHIND  EVERY  GREAT  BUSINESS/IT 
PRIORITY  ...  IS  A  SOLID  STORAGE  STRATEGY 

BY  TOM  FIELD 

IN  its  annual  “State  of  the  CIO”  survey,  CIO  magazine  recently  asked 
some  leading  executives  about  their  technology  priorities  for  2005. 
The  top  five  responses  were: 

•  Integrating/enhancing  systems  and  processes 
•  Ensuring  data  security  and  integrity 

•  Improving  external  customer  service/relationship  management 
•  Redesigning/rationalizing  the  IT  architecture 
•  Enabling/enhancing  e-commerce 
The  common  element  that  could  play  a  huge  role  in  each  of  those 
priorities:  Data  storage. 

Once  relegated  to  the  tactical  techies  on  the  lowest  rungs  of  the  IT  orga¬ 
nizational  ladder,  storage  projects  are  assuming 
strategic  importance  in  many  enterprises. 

They’ve  also  delivered  business  value  in  a  variety 
of  areas.  Information  security,  regulatory  compli¬ 
ance,  business  intelligence — all  rely  on  smart 
storage  strategies. 

Granted,  the  business-oriented  approach  to 
data  storage  goes  by  many  names — information 
lifecycle  management  and  storage  resource  man¬ 
agement,  to  name  just  a  few.  But  they  all  boil 
down  to  one  core  objective:  Making  sure  your 
company  always  has  access  to  the  right  information  at  the  right  time. 

In  this  issue  of  Strategic  Directions — the  last  of  2004 — you’ll  find  a  treas¬ 
ure  trove  of  advice  on  developing  strategies  for  preserving,  securing,  stor¬ 
ing,  and  accessing  your  company’s  critical  information  assets. 

About  Strategic  Directions:  This  ongoing  series  of  CIO  magazine  supple¬ 
ments,  produced  by  CXO  Media’s  Custom  Publishing  Group,  focuses  on 
the  key  business-critical  technologies  and  solutions.  Through  research, 
analysis,  case  studies  and  vendor  profiles,  we  aim  to  provide  you  with  exec¬ 
utive-level  primers  on  today’s  hottest  IT  topics. 

We’ll  be  back  in  2005  with  a  new  and  improved  Strategic  Directions — 
we’ll  even  have  a  new  name  for  the  publication — but  the  objectives  will 
remain  the  same.  And  we’ll  continue  to  seek  your  guidance.  Please  let  us 
know  which  technologies  you’d  like  us  to  explore  in  2005. 


4  STRATEGIC  DIRECIIONS 


Tom  Field  is  director  of  content  development  for  CXO  Media’s  Custom  Publishing  Group. 
Please  send  your  thoughts  on  Strategic  Directions  to  Tom  at  tfield@cxo.com. 


EMC2 

where  information  lives 


a  wide  range  of  information  management  challenges 


a  wide  range  of  software  to  overcome  them 


EMC  SOFTWARE  GIVES  YOU  MORE  OPTIONS,  MORE  CHOICES.  You  have  all  kinds  of  information 
management  challenges.  EMC  has  the  software  to  help  you  overcome  them.  Whether  you’re  dealing  with 
storage  management  or  content  management.  So  you  can  manage  growth,  protect  and  recover  information, 
achieve  compliance  and  business  continuity,  and  keep  everything  running  smoothly.  And  EMC  software 
works  with  your  systems  and  software.  Now,  and  in  the  future.  To  learn  more,  visit  www.EMC.com/software. 


EMC,2  EMC,  and  where  information  lives  are  registered  trademarks  of  EMC  Corporation.  ©  2004  EMC*  Corporation.  All  rights  reserved. 


ADVERTISING  SUPPLEMENT 


the  ROI  of  storage 


OW  MUCH  DATA-STORAGE 
capacity  does  your  organi¬ 
zation  need  to  house  its 
information  assets?  How  much  will  it 


need  next  year?  The  year  after  that? 


“We’re  averaging  30  to  50  percent  growth  annually,”  says 
Hugh  Hale,  director  of  technical  services  at  Blue  Cross  and 
Blue  Shield  of  Tennessee  (BCBST).  It  took  the  Chatta¬ 
nooga-based  provider  of  health  care  insurance  and  services 
from  1945  until  1997  to  build  up  one  terabyte  of  informa¬ 
tion.  But,  Hale  says,  between  1997  and  2004,  the  company’s 


REAL-WORLD  PAYOFF:  A  SINGLE 
NETWORKED  STORAGE  ENVIRONMENT 

By  consolidating  its  data  storage  into  a  single  networked 
environment  and  deploying  a  McData  SAN  solution, 
Blue  Cross  and  Blue  Shield  of  Tennessee  has  seen  its 
investment  paid  back  in  three  months  and  expects  first- 
year  cost  savings  of  nearly  $600,000.  The  SAN  has: 

•  Cut  storage  spending  by  60% 

•  Lowered  storage  maintenance  costs  by  70% 

•  Boosted  storage  utilization  by  40% 

•  Slashed  data  network-related  downtime  exposure 
by  50% 


stored  data  skyrocketed  to  120  terabytes. 

BCBST  isn’t  alone  in  its  ever-increasing  demand  for 
storage.  Industry  figures  indicate  that,  at  virtually  every 
organization  of  every  size,  overall  storage  capacity  is  dou¬ 
bling  every  12  to  18  months,  says  Ken  Steinhardt,  director 
of  technology  analysis  at  Hopkinton,  Mass. -based  EMC 
Corp.,  which  specializes  in  storage  management  solutions 
and  services.  Meanwhile,  most  IT  budgets  have  stayed 
nearly  flat,  forcing  CIOs  to  improve  IT  staff  productivity 
without  increasing  headcount. 

In  addition,  “companies  need  to  be  able  to  track  their 
information  and  storage  assets  over  time,  identify  which 
departments  or  applications  they  belong  to,  and  understand 
how  their  utilization  has  changed  over  time,”  Steinhardt 
says.  “For  many  IT  organizations,  compiling  this  informa¬ 
tion  is  a  manually  intensive  process  involving  scripts,  com¬ 
mand-line  interfaces  and  spreadsheets  to  collect,  correlate 
and  summarize  asset  information.” 

The  challenge:  To  develop  and  execute  a  centralized  stor¬ 
age  strategy  that  encompasses  connectivity,  availability,  reli¬ 
ability,  backup  and  continuity,  scalability,  utilization, 
security  and  cost,  while  simultaneously  coping  with  the 
operational  tradeoffs  inherent  in  product  offerings  and 
legacy  environments. 

“This  really  involves  getting  buy-in  from  all  the  different 
areas  that  implement  storage  and  reminding  them  that  this 
is  an  enterprisewide  solution,”  says  Hale.  “The  more  central¬ 
ized  your  environment,  the  easier  it  is  to  manage  and  the 
fewer  people  you  need.  For  instance,  we  manage  120  ter¬ 
abytes  of  information  with  two  full-time  employees;  the 
industry  standard  is  about  one  FTE  [full-time  equivalent] 
for  every  6  to  10  terabytes.” 


6  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


Q 


What  is  the  biggest  storage-related 
challenge  your  company  faces? 


Percentage  of  respondents  who  answered: 

Managing  growth  and  meeting  capacity  needs  30% 


Integration  and  consolidation  of  assets  22% 


Managing  storage  assets  18% 


Choosing  the  right  products/justifying  expenditures  10% 


Reliability/availability  9% 


Security  4% 
Other  3% 


Source:  Top  Ten  Pain  Points  Survey  Results  Report,  prepared  by  the  Storage  Networking  Industry  Association 
End  User  Council,  May  2004 


One  possible  solution:  Mapping 
strategic  dynamics  to  operational 
options.  Start  by  considering  several 
important  questions: 

•  What  data  needs  to  be  highly  avail¬ 
able  so  it  can  be  easily  accessed  to 
meet  your  business  needs? 

•  What  kind  of  connectivity  and  relia¬ 
bility  will  this  demand? 

•  What  kind  of  security  and 
backup/restore  capability  is 
necessary? 

•  What  about  meeting  compliance 
requirements? 

•  How  much  room  do  your  business 
functions  need  to  grow? 

The  answers  to  these  questions  will  determine  your  data¬ 
storage  requirements  and  drive  your  quest  for  the  best  avail¬ 
able  solutions. 

“By  aligning  the  storage  characteristics  with  the  business’s 
specific  needs,  CIOs  can  maximize  the  value  of  their  infor¬ 
mation  at  the  lowest  overall  cost,”  says  Steinhardt. 

Hale  suggests  starting  from  scratch.  “Take  a  blank  sheet  of 
paper  and  design  the  SAN  [storage 
area  network]  and  the  management 
tools  you  need  up  front  and  then 
let  the  solutions  fit  your  design,”  he 
says.  “And  make  certain  there’s  a 
corporate  strategy  in  place.  Ours  is 
very  simple:  Centralize  everything. 

I  want  one  tool  to  manage  all  the 
environments.  I  want  the  look  from 
the  console  to  be  server-  and  oper¬ 
ating  system-independent.  It’s  sim¬ 
ply  more  productive  and 
cost-effective.” 


From  the  trenches: 

Functionality  over  technology 

“You  need  to  understand  what  you  want  before  you  go  into 
the  analysis  phase,”  Hale  advises.  “If  you  just  go  out  looking 
for  the  best  SAN,  you  might  end  up  with  great  technology, 
but  not  the  functionality  you  need.  You  need  to  begin  with  a 
list  of  your  requirements.” 

He  knows  the  importance  of  that  step  firsthand. 
“We  had  a  situation  where  network  services  wanted 
one  SAN  vendor  and  our  UNIX  folks  wanted 
another.  But  our  strategy  says  we  don’t  want  two 
different  SANs.  So  I  got  the  all  storage-support  folks 
together  and  said,  ‘You  all  have  to  get  on  the  same 
page  and  you’re  not  leaving  the  room  until  you  do.’” 

Ultimately,  the  decision  hinged  on  a  simple 
question:  “Which  of  the  two  solutions  could  han¬ 
dle  all  three  of  our  environments — the  main¬ 
frame,  UNIX  and  Windows?”  Hale  says.  “Only 
one  of  them  could,  so  that  immediately  elimi¬ 
nated  the  other.”  SD 


Ken  Steinhardt 


"By  aligning  the  storage  characteristics  with  the 
business's  specific  needs,  CIOs  can  maximize  the  value  of 
their  information  at  the  lowest  overall  cost." 

Ken  Steinhardt,  director  of  technology  analysis,  EMC  Corp. 


STRATEGIC  DIRECTIONS  1 


where  the  payoffs  are 


ADVERTISING  SUPPLEMENT 


ENTERPRISE  STORAGE  MANAGEMENT 


Anders  Lofgren,  vice  president  of  product 
management  for  the  BrightStor®  line  of 
solutions  from  Islandia,  N.Y.-based 
Computer  Associates  International  Inc., 
has  a  pretty  simple  definition  for  effective 
storage  management:  “It  means  protecting  the  data  for  all 
it’s  worth — but  not  more  than  it’s  worth.” 

In  a  world  where  nearly  incomprehensible  amounts  of 
data  need  to  be  stored  and  protected  using  convoluted  infra¬ 
structures,  it’s  often  hard  to  keep  that  balance  in  mind.  It’s 
harder  still  to  create  an  infrastructure  that  can  deliver  a 
seamlessly  integrated  environment — of  which  data  storage  is 
a  key  part — -that’s  simple  for  end  users  to  navigate,  easy  to 
manage  and  grow,  and  hard  to  bring  down. 

Truth  is,  the  big  prize  remains  on  the  horizon.  But  some 
essential  elements — such  as  enterprise  storage  management 
solutions — are  within  reach. 


REAL-WORLD  PAYOFF:  BOOSTING 
BACKUP  SUCCESS  RATES 

To  meet  a  companywide  challenge  to  simplify  and 
control  costs,  Unilever’s  IT  organization  needed  to 
streamline  the  global  consumer-products  firm’s 
backup  and  data  restoration  systems  and  measure 
performance  against  precise  metrics.  Using 
BackupReport  from  Bocada  Inc.,  Unilever  signifi¬ 
cantly  increased  backup  success  rates,  hitting  serv¬ 
ice-level  performance  goals  of  99  percent  across 
Europe.  And  thanks  to  BackupReport,  the  company 
consistently  provides  a  business  view  of  its  data- 
protection  services  to  internal  customers  through¬ 
out  the  enterprise. 


What’s  the  problem? 

It’s  about  the  data.  Generally,  classification  processes  are  too 
manual,  too  redundant,  too  separate  from  asset  management 
systems.  Digital  rights  aren’t  sufficiently  monitored.  Versioning 
is  a  nightmare.  Storage  management  systems  can’t,  by  them¬ 
selves,  automatically  determine  what’s  needed  to  back  up, 
replicate,  and  archive  all  the  parts  of  shared  information  files. 

And  without  an  overarching,  business-oriented  view  of 
enterprise  data,  it’s  too  easy  for  individual  users  to  move, 
replicate,  back  up,  restore,  reorganize  and  archive  data  with¬ 
out  considering  the  impact  on  the  business. 

“A  good  CIO  needs  to  recognize  that  many  of  today’s  IT 
processes  are  just  plain  broken  and  only  going  to  get  worse,” 
says  Steve  Duplessie,  founder  and  senior  analyst  at  the 
Enterprise  Strategy  Group,  a  Milford,  Mass. -based  research 
firm  focusing  on  storage  and  information  management. 
“Give  the  skilled  people  the  tools,  the  time  and  the  money 
to  fix  the  problems  before  they  crater  the  company.” 

What’s  needed? 

Ideally,  storage  management  should  be  top-down,  driven  by 
people,  processes  and  policies.  That’s  easier  said  than  done. 
“The  real  challenge  is  in  multiple  factions  in  an  organiza¬ 
tion  not  always  working  toward  the  same  goals,”  Duplessie 
says.  “The  storage  administrator  wants  one  set  of  core  tools; 
the  operations  manager  has  different  requirements.” 
Meanwhile,  management  typically  doesn’t  care  about  the 
details  of  the  storage  management  solution — but  does  care 
about  uptime  and  utilization. 

Duplessie  advises  deploying  solutions  that  improve  on 
legacy  environments,  rather  than  just  replacing  them.  “Pick 
management  tools  that  make  your  previous  dumb  decisions 
suddenly  look  smart,”  he  says.  “They  do  exist.” 

Aiding  this  approach  are  standards  that  abstract  the  stor¬ 
age  environment  to  create  a  common,  vendor- independent 
content  repository  and  infrastructure — in  other  words,  a 


8  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


Implementing  Electronic  Vaulting 
Technology  Makes  Calpine  a  Winner  at 
2004  Technology  Managers  Forum 


STUDY 


Congratulations  to  Calpine  Corporation 
for  winning  the  2004  Technology 
Managers  Forum  Best  Practices  Award  in 
the  Business  Continuity  category.  A  leading  North 
American  power  company  operating  more  than  90 
plants,  Calpine's  decision  to 


quick  restoration,  if  necessary. 

•  Lower  overhead  costs.  Calpine  determined  that 
electronic  vaulting  provides  a  200  percent  ROI  in  the 
first  year  and  a  500  percent  ROI  over  three  years. 

•  Improved  productivity  and  reliable ,  consistent  back¬ 
up  processes.  Before  electronic 


plants,  caipine  s  aecision  10  \  up  processes,  uerore  eiecu 

implement  electronic  vaulting  TPOKT  A/TfVF  TNTTATTvT  vaulting,  each  of  Calpine's 

•f"orh  nrdrxnw  h^c  holrmrf  if-  fn  N  J-\^  -L V— J  IN  _I_/i_L.LN  mm  n’for  n  r\  nTT  **+■ 


technology  has  helped  it  to 
achieve  optimal  data  protection  as  part  of  a  compre¬ 
hensive  business  continuity  plan. 

ELIMINATE  THE  RISKS 

By  implementing  online  (Internet-based)  data  back¬ 
up  and  retrieval  and  offsite  storage  using  electronic 
vaulting  technology,  Calpine  has  eliminated  many  of 
the  risks  associated  with  a  traditional  backup  and 
recovery  strategy.  The  company  now  has  the  security 
of  automated,  reliable,  consistent  backup  and  recov¬ 
ery  processes.  Storing  data  offline  and  offsite  secures 
business-critical  data  out  of  reach  of  hostile  threats. 

Calpine's  embrace  of  vaulting  technology  also 
means  competitive  advantage  and  increased  busi¬ 
ness  resilience  thanks  to: 

•  Enhanced  business  continuity  through  its  up-to- 
the-minute  recovery  point  and  fast  recovery  time. 
Thousands  of  data  points  critical  to  plant  operations 
are  captured  every  4-5  seconds  and  available  for 


remote  sites  had  non-IT  staff 
members  performing  backup  and  tape-management 
activities,  resulting  in  backup  inconsistency  and  vari¬ 
able  reliability.  With  electronic  vaulting,  one  qualified 
person  monitors  and  backs  up  all  remote  plant  sites. 

Calpine's  outsourced  solution  best  practices 
include: 

•  Data  backed  up  continuously  and  automatically 
over  the  Internet  in  encrypted  form  to  an  off-site 
disk,  monitored  24x7x365. 

•  Backup  data  stored  on  disk  for  90  days,  on  tape  for 
7-years. 

•  Quick  data-recovery  time  and  an  up-to-the- 
minute  data  recovery  point— over  the  Internet. 

Calpine's  vendor  for  electronic  vaulting  services  is 
Iron  Mountain. 

For  more  information  on  what  Iron  Mountain's 
solutions  can  do  for  you,  visit 
www.ironmountain.com/downtime. 


common  file  system  for  all  enterprise  storage  elements. 

That  way,  products  from  a  variety  of  vendors  can  interoper¬ 
ate  without  being  dependent  on  a  parade  of  individually 
developed  application  programming  interfaces  (APIs). 

Storage  standards  at  last 

Fortunately,  the  first  version  of  the  Storage  Management 
Initiative  Specification  (SMI-S),  embraced  by  most  storage 
vendors,  supports  such  efforts. 

By  providing  common  information  models  for  managed 
storage  devices  and  creating  a  common  protocol  for  manag¬ 
ing  them,  SMI-S  aims  to  eliminate  the  need  for  vendor-spe¬ 
cific  management  protocols  and  application  protocol 
interfaces — and  for  the  costly  development  efforts  they 
entail.  Based  on  the  Web  Based  Enterprise  Management 
(WBEM)  architecture  and  the  Common  Information 


Model  (CIM),  SMI-S’s  evolution  is  being  guided  by  the 
Storage  Networking  Industry  Association,  a  San  Francisco- 
based  trade  association. 

SMI-S  Version  1.0,  released  earlier  this  year,  defines  a  model 
for  discovering  and  managing  host  bus  adapters  (HBAs), 
switches  and  arrays.  As  vendors  adopt  the  open,  extensible 
SMI-S  standard,  organizations  will  be  able  to  reduce  storage 
operations  and  management  costs,  more  quickly  implement 
changes  to  storage  infrastructure  and  extend  the  life  of  their 
storage  investments  while  avoiding  vendor  lock-in. 

Managing  the  data  lifecycle 

“Organizations  seeking  to  lower  storage  costs,  increase 
data  productivity  and  integrity,  simplify  storage  adminis¬ 
tration  and/or  create  accountability  for  data  should  con¬ 
sider  information  lifecycle  management  [ILM],”  says 


STRATEGIC  DIRECTIONS  9 


ADVERTISING  SUPPLEMENT 


Q 


What  are  your  biggest  storage- 
management  challenges? 


Percentage  of  respondents  who  answered  .  .  . 

Managing  complex  storage  infrastructures  21% 


Manageable  and  reliable  backup  and  recovery  solutions  14% 


Centralizing  storage  infrastructure  management  13% 


Lack  of  robust  SRM  or  SAN  management  tools  10% 


Improving  resource  utilization  8% 


IT  budget  constraints  8% 


IT  management  places  low  priority  on  storage  infrastructure 
improvement  8% 


Interoperability  5% 

Lack  of  internal  standards  or  adoption  of  best  practices  and  policies  4% 

■ 

Other  3% 

a 

Source:  Top  Ten  Pain  Points  Survey  Results  Report,  prepared  by  the  Storage  Networking  Industry  Association  End 
User  Council,  May  2004 


Gabriel  Broner,  senior  vice  president  of  Silicon  Graphics 
Inc.  ILM  involves  aligning  the  value  of  information  with 
the  cost  of  its  storage.  Effective  ILM  is  accomplished  by 
managing  data  from  cradle  to  grave,  moving  it  to  the  most 
cost-effective  storage  environment  depending  on  how  it’s 
being  used  in  the  business  at  any  given  time.  Since  90  per¬ 
cent  of  data  stored  on  disk  is  rarely  accessed  after  90  days, 


according  to  the  Enterprise  Storage  Forum, 
a  division  of  New  York  City-based 
JupiterMedia  Corp.,  moving  it  to  less  costly 
storage  media  at  the  right  time  will  be  well 
worth  the  effort  for  many  companies. 

“The  core  benefits  of  ILM  are  achievable 
today,”  Broner  says.  “Once  the  largely  manual 
process  of  classifying  data  is  complete,  ILM 
solutions  can  automate  the  management  of 
each  type  of  data  over  its  useful  life.” 

Such  automation  helps  eliminate  threats  to 
data  integrity  and  accountability  and  helps 
reduce  the  management  burdens  of  moving 
data  manually.  Moreover,  Broner  says,  automa¬ 
tion  provides  higher  productivity  than  alterna¬ 
tive  approaches. 

“To  be  successful,  an  ILM  strategy  must  be 
business-centric,  tying  closely  to  key  business 
processes,  applications  and  initiatives,” 
explains  Ken  Steinhardt,  director  of  technol¬ 
ogy  analysis  at  Hopkinton,  Mass. -based  EMC 
Corp.  “At  the  same  time,  it  must  provide  an 
integrated  view  of  all  information  assets, 
both — structured  and  unstructured.” 

SRM:  the  Holy  Grail? 

The  goal  of  storage  resource  management 
(SRM)  is  straightforward:  to  optimize  the 
management  and  utilization  of  existing  stor¬ 
age  and  backup  resources  to  improve  avail¬ 
ability  and  reliability  while  lowering  costs.  To 
work  effectively,  an  SRM  initiative  must  address  capacity  plan¬ 
ning,  discovery,  configuration,  monitoring,  provisioning,  per¬ 
formance  and  reporting  of  storage/backup  devices,  and  the 
underlying  infrastructure. 

“SRM  capabilities  provide  valuable  insight  into  data  and  stor¬ 
age  assets  across  the  IT  network,”  says  Lofgren.  “SRM  provides  a 
bird’s-eye  view  of  the  complete  storage  landscape,  including  the 


KEY  SRM  FEATURES 

Essential  to  a  robust  storage  resource  management  (SRM) 
solution  is  the  ability  to  plan,  provision,  monitor,  report, 
manage  devices  and  automate — all  while  working  with  a 
variety  of  vendors.  While  IT  environments  differ  from 
organization  to  organization,  most  will  benefit  from  SRM 
software  that  can: 

•  Identify  and  map  the  relationship  between  physical  and 
logical  devices,  including  servers,  storage  area  networks 
and  storage 


•  Graphically  monitor  the  environment  from  end 
to  end 

•  Manage  multiple  assets  and  processes  from  a 
centralized  dashboard 

•  Link  to  management  software  already  in-house 

•  Analyze  events  to  provide  intelligence  useful  for  under¬ 
standing  performance  issues,  asset  utilization,  provi¬ 
sioning  and  other  functions 

•  Report  on  how  storage  assets  are  utilized  by  application 
and  other  constructs  (such  as  departments) 

Source:  The  Role  of  SRM  in  Managing  the  Information  Lifecycle,  report  by  Mike  Karp, 

senior  analyst.  Enterprise  Management  Associates  Inc. 


10  SIRATEGIC  DIRECTION!! 


ADVERTISING  SUPPLEMENT 


distributed  and  mainframe  sides  of  the  IT  environment” 
by  finding,  visualizing,  monitoring  and  reporting  on  both 
the  physical  and  logical  elements  in  a  storage  network,  and 
by  changing  those  elements  as  needed. 

“The  use  of  SRM  tools,  coupled  with  a  sound  informa¬ 
tion  lifecycle  management  [ILM]  strategy,  can  help  CIOs 
better  control  overall  capital  and  operational  expenditures 
for  the  enterprise  storage  infrastructure,”  Steinhardt  says. 
“They  help  IT  get  command  and  control  over  storage  envi¬ 
ronments  via  a  single  interface,  providing  timely  and  accu¬ 
rate  information  about  the  health,  performance  and 
utilization  of  storage  assets  at  any  given  time.” 

Storage  management  best  practices 

Following  are  four  tried-and-true  practices  for  effective 
storage  management,  along  with  the  likely  challenges  that 
must  be  overcome  to  effectively  implement  each: 


•  Consolidation:  Centralize  data  management  to  reduce 
the  need  for  redundancy,  replication  and  duplication. 
Challenge:  Developing  TCO  metrics  and  effective  service- 
level  agreements. 

•  Standardization:  Centralize  storage  purchase-approval 
processes.  Challenge:  Figuring  out  how  to  prevent  and 
penalize  “maverick”  spending. 

•  Modification  of  data  center  operations:  Centralize  activ¬ 
ities  such  as  data  backups,  archival  procedures,  and 
administrative  automation.  Challenge:  Creating  IT 
processes  and  service-level  agreements  that  meet  busi¬ 
ness  requirements. 

•  Use  of  integrated  management  tools:  Provide  adminis¬ 
trators  with  tools  that  help  them  monitor  utilization  and 
reliability,  decide  when  to  archive,  and  manage  accessibil¬ 
ity  and  security.  Challenge:  Deciding  which  tools  are  most 
likely  to  meet  both  current  and  future  needs.  SD 


Increase  Data  Protection  Service  Quality, 
Slash  Costs  and  Prove  Service  Delivery 


CASE 


STUDY 


BackupReport®  from  Bocada®  collects, 
organizes,  stores  and  presents  a  unified, 
enterprise-wide  view  of  data-protection 
performance.  Relying  on  patented,  agentless  data- 
collection  technology,  BackupReport  deploys  rapidly, 
regardless  of  network  topology,  plat 
form  or  physical  location  of  backup 
assets.  BackupReport  helps  IT 
departments  meet  the  business 
demands  of  their  customers  by  presenting  critical 
performance  metrics— data  protection,  system  uti¬ 
lization,  chargeback  and  audit  services— organized 
by  business  objectives. 


BOCADA 


BULLETPROOF  BACKUP  OPERATIONS, 

MEET  SLAs 

Corio  Inc.,  for  example,  is  using  BackupReport  to 
help  protect  the  data  of  its  customers.  Corio® 
delivers  best-of-breed  enterprise  applications  to 
some  of  the  largest  companies  in  the  world. 
BackupReport  provides  vendor-neutral,  third- 
party  validation  of  backup  success  and  allows 
Corio  to  allocate  data  protection  costs  to  cus¬ 
tomers.  BackupReport  has  helped  Corio  bullet¬ 
proof  its  backup  operations,  establish  and  track 
SLA  performance  and  allocate  costs  while  improv¬ 
ing  services. 


INCREASE  BACKUP  SUCCESS  RATES 
WORLDWIDE 

Another  BackupReport  user.  Virgin  Atlantic  Airways'  IT 
team,  backs  up  roughly  five  terabytes  of  critical  data 
every  week  using  diverse  systems  and  backup  products 
spread  among  offices  throughout  the 
world.  With  BackupReport,  the  team 
boosted  backup  success  rates  from  about 
60%  to  over  85%.  Server  utilization  has 
improved,  as  has  backup  scheduling,  and  the  team  mem¬ 
ber  who  used  to  spend  all  his  time  monitoring  backup 
activity  now  spends  his  time  on  strategic  planning. 

BackupReport  is  trusted  by  more  than  135  enter¬ 
prise  customers  worldwide,  including  leading  brand 
names  such  as  Agilent,  Commerzbank,  Genentech, 
Hershey's,  Microsoft,  Honeywell,  Orange,  Siemens, 
Royal  Bank  of  Scotland,  SBC,  Sprint,  Unilever,  Valero 
Energy  and  Xerox. 

Founded  in  1999,  Bocada  pioneered  development  of 
software  that  validates  data  protection  system  per¬ 
formance  against  business  goals.  Bocada's  flagship 
product,  BackupReport,  provides  objective  insight  on 
service  level  delivery  and  performance,  helping  IT 
organizations  increase  data  protection  service  quality, 
slash  costs  and  prove  service  delivery. 

For  more  information,  visit  www.bocada.com. 


STRATEGIC  DIRECTIONS  11 


where  the  payoffs  are 


ADVERTISING  SUPPLEMENT 


ORRELATING  STORAGE  USAGE  to  busi- 
M  1  ness  operations  allows  intelligent 

decisions  and  policies  to  be  put  place 
y  for  effective  storage  management,” 
says  Anders  Lofgren,  vice  president 
of  product  management  for  Computer  Associates’ 
BrightStor®  solutions. 

A  storage  utility  model,  Lofgren  notes,  enables  the  cost  of 
storage  to  be  managed  in  conjunction  with  business  objec¬ 
tives.  That  capability,  in  turn,  helps  organizations  control 
the  growth  of  their  storage  environments,  ensuring,  as 
Lofgren  puts  it,  “that  the  right  data  is  on  the  right  asset, 
with  the  right  protection/security,  at  the  right  time  to  sup¬ 
port  the  needs  of  the  business.” 

Treating  storage  as  a  utility  can  help  simplify  enterprise 
storage  environments.  Popular  approaches  include  storage 
consolidation/virtualization  and  managed  storage  services. 


The  fabric  of  storage  virtualization 

Storage  virtualization  hides  infrastructure  complexities 
behind  a  layer  of  logical  abstraction  so,  regardless  of  the 
actual  details,  all  physical  storage  appears  as  a  single  central¬ 
ized  repository. 


REAL-WORLD  PAYOFF: 

VIRTUALIZING  TAPE  BACKUP 

Since  its  inception  in  1994,  Blue  Hill  Data  Services 
Inc.,  a  provider  of  data-center  mainframe  outsourc¬ 
ing  and  direct  marketing  tools  and  services,  has  never 
lost  a  customer.  But  the  company  was  spending  too 
much  on  tape  media  and  labor.  Part  of  the  solution 
was  IBM’s  3590  Automated  Tape  Library  (ATL).  The 
rest  came  from  Computer  Associates’  BrightStor  CA- 
Vtape  Virtual  Tape  System,  which  has  increased  the 
amount  of  data  on  the  IBM  ATL  by  147  percent. 
That’s  resulted  in  a  reduction  in  the  number  of  tapes 
used — from  100,000  to  25,000-and  the  number  of 
drives  used — from  88  to  44.  Labor  costs  have 
decreased  as  well. 


The  results: 

•  Centralized  management.  One  tool  can  handle  virtual¬ 
ization  and  data  services  with  a  fiber-channel  fabric,  elim¬ 
inating  the  repetitive  administrative  tasks  and  the  labor 
costs  associated  with  them. 

•Improved  disk  Utilization.  Consolidating stovepiped 
storage  environments — typically  an  assortment  of  direct- 
attached,  network-attached  and  storage  area  networks — 
into  virtual  pools  enables  these  resources  to  be  used  more 
efficiently  because  they  can  be  shared  with  any  network 
server. 

•  Tiered  Storage.  Administrators  can  mix  and  match  stor¬ 
age  arrays  rather  than  being  forced  to  use  the  same  costly 
enterprise-class  machines  to  remotely  replicate  critical  data 
for  high-availability  and  disaster  recovery  functionality. 

•  Consolidated  data  services.  Migrating  the  data  services 
that  organizations  have  built  into  workflows  and  disaster- 
recovery  plans,  such  as  replication  and  snapshots,  means 
they  can  perform  across  heterogeneous  storage  arrays  and 
be  more  easily  managed. 

Approaches  to  storage  virtualization  include  solutions  that 
are  software-based,  switching-based,  and  appliance-based. 

“The  discussion  of  virtualization  is  too  often  focused  on 
the  management-tools  level,”  says  Gabriel  Broner,  senior 
vice  president  and  general  manager  of  the  storage  and  soft¬ 
ware  group  at  Silicon  Graphics  Inc.  in  Mountain  View, 

Calif.  “Virtualization  implemented  in  the  infrastructure 
itself  is  much  more  effective.” 

Broner  sees  consolidation,  data  lifecycle  management  and 
data  protection  solutions  working  together,  virtualizing 
capacity,  capability  and  heterogeneity  “to  grow  as  the  busi¬ 
ness  grows,  with  investment  protection  all  the  way  down  to 
the  device  and  application  level.” 

The  virtues  of  electronic  vaulting 

Outsourcing  storage-management  tasks  can  cut  labor  costs 
by  25  to  40  percent  as  compared  with  doing  the  job  inter¬ 
nally,  according  to  Data  Storage  Today,  an  online  industry 
news  publication.  Turning  to  managed  storage  services  for 
backup  and  recovery  capabilities  can  be  especially  effective 
for  small  and  midsize  businesses,  whose  resources  may  be 
challenged  by  the  need  for  more  frequent  backups  of  bur¬ 
geoning  amounts  of  data,  with  minimal  time  to  do  it. 


12  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


Delivering  Sustainable  Cost  and  Productivity 
Benefits  for  Data-Intensive  Enterprises 


STUDY 


SGI  is  the  world's  leader  in  high-per¬ 
formance  computing,  visualization 
and  storage.  As  the  only  full  line  of 
storage  solutions  designed  specifically  for  data- 
intensive  environments,  SGI  InfiniteStorage 
Solutions  go  beyond  the  TCO  benefits  of  consoli¬ 
dation,  contributing  to  your  top  line 
with  productivity  increases  that  deliver 
real  ROI.  The  entire  product  line  is 
designed  to  integrate  seamlessly  and 
to  scale  "infinitely"  so  you  can  change 
capacity,  performance,  connectivity  or 
even  storage  architecture  to  meet  your 
requirements  today  and  tomorrow  without  losing 
your  investment. 

For  example,  Medtronic,  a  world  leader  in  the 
design  and  manufacture  of  medical  technology,  has 
depended  on  SGI  technology  for  the  past  12  years  for 
analysis,  simulation  and  product  development  for 
many  of  the  cardiac  products. 

Medtronic's  problems  began  as  the  amount 
of  its  data  grew  and  Medtronic  engineers  found 
themselves  spending  more  and  more  time 
waiting  for  data  to  copy  over  already  overloaded 
networks.  The  result?  Engineers'  productivity 
decreased. 


FROM  A  GRAVEL  ROAD  TO  A  SIX-LANE  FREEWAY 

To  solve  these  problems,  Medtronic  implemented  a  Fibre 
Channel  SAN  with  SGI  InfiniteStorage  Shared 
Filesystem  CXFS.  CXFS  gives  the  SGI  compute  servers 
and  the  workstations  used  by  Medtronic  engineers 
instant,  concurrent  access  to  all  data  stored  on  the  SAN 
so  engineers  no  longer  waste  valuable  time 
copying  data,  and  without  superfluous  copies, 
there  is  less  data  to  store,  manage  and  back  up. 

According  to  Tim  Abraham,  graphics  resource 
manager  for  CRM  therapy  delivery,  "With  the 
addition  of  the  SAN  and  CXFS,  the  return  on 
investment  for  our  existing  equipment  has  gone 
way  up.  Overall  disk  and  server  utilization  has  increased 
substantially  and  engineers  no  longer  waste  time  copy¬ 
ing  data.  For  Medtronic,  the  transition  from  NFS  over  a 
LAN  to  CXFS  over  a  SAN  has  been  like  going  from  a  gravel 
road  to  a  six-lane  freeway." 

With  robust  and  combinable  solutions  for  intelli¬ 
gent  consolidation,  data  lifecycle  management  and 
data  protection,  SGI  InfiniteStorage  is  delivering 
sustainable  cost  and  productivity  benefits  in  the 
unique  and  demanding  environments  of  data- 
intensive  enterprises. 

For  more  information  visit  www.sgi.com/storage. 


In  many  organizations,  electronic  vaulting  is  replacing 
manual  tape  backups.  Providers  of  electronic  vaulting  serv¬ 
ices  automatically  back  up  server  data  based  on  user  crite¬ 
ria,  encrypting  it  and  sending  it  via  the  Internet  or 
dedicated  communications  lines  to  secure  offsite  locations. 
Software  from  the  provider  enables  users  to  recover  data 
either  onsite  or  remotely,  effectively  bundling  backup  and 
disaster  recovery  services. 

Online  backup  service  checklist 

Considering  an  online  backup  service?  Look  for  solutions 
with  these  features: 

^  A  field-proven,  scalable  storage  architecture  that  the 
provider  continually  upgrades.  Inspect  the  facilities  to  make 
sure  the  provider’s  infrastructure  has  what  you  need  in 
terms  of  capacity,  availability,  management,  security,  vendor 
solutions,  and  other  issues. 

^  Fast,  reliable  recovery  via  an  easy-to-use  self-service 


interface  that  delivers  granular,  disk-based  restores.  Such 
capability  minimizes  the  need  for  manual  intervention — 
and  the  potential  for  human  error. 

^  24/7  provider  monitoring,  including  validation  of  back¬ 
ups,  problem  alerts,  and  technical  help. 

*/  Vaulting  that’s  securely  offsite  and  offline  but  that  also 
remains  online  for  a  specified  period  of  time  so  that  it’s 
available  for  quick  restores. 

Expertise  and  service  offerings  tailored  to  your  organi¬ 
zation’s  applications  and  configurations.  For  example,  you 
might  look  for  regulation-compliant  e-mail  archiving  and 
server-and  PC-oriented  backups. 

^  Visibility  into  service  performance  and  trends  via  self- 
service  interfaces  or  portals. 

^  Predictable,  measurable  costs  for  forecasting  future  needs. 
^  A  service  level  agreement  that  ensures  quality  of  service, 
delineates  availability,  capacity  and  recovery  performance, 
and  spells  out  change  processes  and  accountability.  SD 


STRATEGIC  DIRECTIONS  13 


ADVERTISING  SUPPLEMENT 


'  ®  where  the  payoffs  are 


Until  fairly  recently,  organizations  want¬ 
ing  to  move  beyond  direct-attached  stor¬ 
age  (DAS)  had  two  choices: 

•  Network-attached  storage  (NAS),  gener¬ 
ally  in  the  form  of  a  dedicated  file  server 
that  supports  standard  network  file  system  protocols  and 
uses  the  Internet  Protocol  (IP),  or: 

•  Storage  area  networks  (SANs),  which  use  a  dedicated  net¬ 
work  to  provide  access  to  consolidated  block-level  storage, 
connecting  servers  and  storage  arrays  with  fiber-channel 
(FC)  technology. 

Now  these  once-competitive  approaches  are  starting  to 
work  together.  With  NAS,  disparate  servers  and  PCs  can 


REAL-WORLD  PAYOFF:  REPLACING 
DAS  WITH  SAN 

Blue  Rhino  Corp.,  a  provider  of  branded  propane 
grill  cylinder  exchange  services,  was  approaching  the 
limits  of  its  direct-attached  storage  (DAS)  infra¬ 
structure.  Then  the  company  implemented  EMC 
Corp.’s  CLARiiON  CX400-based  storage  area  net¬ 
work  (supported  by  EMC  SnapView  backup  soft¬ 
ware,  Navisphere  storage  management  and  Access 
Logix  data  protection  and  shared  storage  access). The 
result:  Blue  Rhino  has  saved  more  than  $150,000  in 
annual  expenses  related  to  administration,  monitor¬ 
ing  and  productivity.  A  $125,000  reduction  in  server 
and  tape  drive  costs  also  is  expected.  In  addition,  the 
company  reduced  its  data  and  applications  adminis¬ 
tration  time  by  75  percent. 


simultaneously  access  and  share  files,  storage  can  be  consol¬ 
idated  at  the  file-system  level,  and  features  such  as  fail-over 
redundancy,  backup  integration,  remote  mirroring  and 
point-in-time  copying  are  supported.  For  those  reasons, 
NAS  is  often  used  in  environments  where  file  sharing  and 
collaboration  are  important. 

SANs,  on  the  other  hand,  offer  dedicated  storage  provi¬ 
sioning  and  tunable  performance  that’s  fast  and  secure 
and  includes  such  advanced  capabilities  as  centralized 
backup,  data  replication,  remote  mirroring  and  redun¬ 
dant  storage  connectivityall  without  burdening  opera¬ 
tional  network  facilities.  SAN  management  tools,  such  as 
those  from  EMC  Corp.  and  Computer  Associates,  supply 
the  physical  layer  of  storage  management  by  identifying, 
configuring,  allocating  and  deploying  storage  assets  in 
heterogeneous  environments. 

Such  features — and  their  increasing  speed  (new  fiber- 
channel  switches  and  host  bus  adapters  double  their  speed 
to  4  gigabits  per  second,  and  10  gigabits  per  second  is  on  the 
horizon) — make  SANs  very  attractive  to  organizations  with 
extremely  large  storage  volumes. 

No  longer  NAS  versus  SAN 

Each  approach  has  advantages.  Because  NAS  hangs  off 
operational  (typically  Ethernet-based)  local  area  net¬ 
works  (LANs),  disparate  servers  and  PCs  can  simultane¬ 
ously  access  and  share  files.  Storage  can  also  be 
consolidated  at  the  file  system  level,  and  features  such  as 
fail-over  redundancy,  backup  integration,  remote  mirror¬ 
ing,  and  point-in-time  copying  are  supported.  So  NAS  is 
often  used  in  environments  where  file-sharing  and  collab¬ 
oration  are  important. 

However,  using  existing  Ethernet  components  for  data 
storage  has  serious  drawbacks.  Among  the  concerns: 


14  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


EMC  ControlCenter  SRM  Software  Delivers 
Time  and  Cost  Savings  to  CompUSA 


STUDY 


IT  departments  today  are  faced  with  a 
multi-pronged  dilemma  when  it  comes 
to  storage.  Long  term,  they're  contend¬ 
ing  with  how  to  manage  information  over  the 
course  of  its  lifecycle  while  simplifying  overall 
administration,  improving  utilization  and  lower¬ 
ing  management  costs.  And  at  the  most  basic 
level,  they  need  to  simply  better  manage  the 
increasing  size  and  complexity  of  their  storage 
networks.  Until  recently,  many  have  been  taking 
on  SAN  management  by  white¬ 
boarding  or  otherwise  manually 
tracking  storage  capacity. 

Storage  resource  management 
(SRM)  software,  such  as  EMC 
ControlCenter,  is  one  of  the  key 
solutions  that  is  freeing  IT  departments  from  the 
time-consuming  task  of  manually  tracking  storage 
capacity,  while  delivering  the  added  benefit  of  sim¬ 
plifying  overall  administration.  ControlCenter  is 
also  a  key  component  in  information  lifecycle  man¬ 
agement  (ILM),  enabling  customers  to  more  effec¬ 
tively  monitor,  report,  plan  and  provision  storage 
across  tiered,  multi-vendor  environments. 

CompUSA,  one  of  the  nation's  leading  retailers 
and  resellers  of  technology  products  and  services, 
was  faced  with  the  time-consuming,  personnel¬ 
intensive  task  of  managing  SANs  via  command¬ 


EMC2 

where  information  lives 


line  scripting.  Consequently,  the  company  evaluat¬ 
ed  numerous  SRM  solutions  and  decided  to  imple¬ 
ment  ControlCenter  to  design,  plan  and  provision 
the  infrastructure,  and  configure  and  optimize 
their  storage  devices 

FROM  DAYS  TO  MINUTES 

"ControlCenter  has  had  a  major  impact  on  our  oper¬ 
ations,"  says  Sid  Walton,  director  of  IT  technical 
services  at  CompUSA.  "It  has  enabled  us  to  increase 
application  uptime  and  rapidly  imple¬ 
ment  changes  as  our  business  evolves. 
With  ControlCenter,  we've  dramatically 
reduced  the  hours  we  used  to  spend 
scripting  and  reporting,  and  we're 
much  better  equipped  to  troubleshoot, 
isolate  and  resolve  performance  issues." 

ControlCenter's  comprehensive  monitoring  and 
reporting  capabilities  also  enabled  CompUSA  to 
assess  growth,  usage  and  performance,  which  is 
essential  for  proactively  identifying  performance 
issues  and  reallocating  storage  before  the  problem 
impacts  a  business-critical  application.  As  a  result, 
CompUSA  reduced  utilization  reporting  time  from 
three  days  to  minutes. 

For  more  information  on  SRM  and  ControlCenter, 
visit  www.emc.com/storagemanagement. 


•  Storage  networks  should  not  be  exposed  to  the  security 
risks  to  which  corporate  LANs  are  subject. 

•  LANs,  which  can  tolerate  dropped  packets  and  collisions, 
are  not  optimized  for  data  storage  tasks,  which  have  little 
tolerance  for  latency  and  cannot  afford  to  lose  data  due  to 
timeouts. 

But  traditional  fiber  channel-based  SANs  are  complex, 
expensive  and  face  distance  restrictions.  So  now  vendors  are 
developing  SANs  that  use  the  Internet  rather  than  fiber- 
channel  technology.  The  key  protocol  is  iSCSI,  which 
enables  SANs  to  be  constructed  with  proven  Ethernet  tech¬ 
nology.  iSCSI  transports  block-level  storage  across  IP  net¬ 
work  infrastructures,  allowing  Internet-based  data  access 
that  effectively  eliminates  the  physical  boundaries  of  the 
storage  network  and  significantly  reduces  the  cost  of  adding 
new  servers.  iSCSI  can  be  integrated  with  fiber-channel 


SANs  using  a  router.  By  linking  existing  fiber-channel  SAN 
environments,  notably  for  disaster  recovery  and  long-dis¬ 
tance  replication,  organizations  can  overcome  SAN  distance 
limitations  and  weave  intelligence  into  the  storage  fabric. 

The  approach  also  offers  substantial  savings  compared  to 
using  proprietary  protocols  over  fiber-channel  links.  For 
instance,  the  IP  storage  SAN  installed  by  one  Colorado 
county  government  cost  45  percent  less  than  alternative 
solutions.  In  addition,  Solucient  LLC  of  Evanston,  Ill., 
which  provides  business-intelligence  solutions  to  the  health 
care  industry,  installed  an  iSCSI  SAN  for  one-third  the  cost 
of  a  fiber-channel  SAN. 

“Moving  forward,  iSCSI — block-storage  networking 
over  Ethernet  networkshas  the  single  greatest  potential  to 
impact  storage  infrastructure  management,”  says  Steve 

CONTINUED  ON  PAGE  1  7 


STRATEGIC  DIRECTIONS  15 


ADVERTISING  SUPPLEMENT 


Intelligent  Storage  Management  Solutions 
for  On-Demand  Requirements 


PROFILE 


Computer  Associates  International, 
Inc.  (NYSErCA),  the  world's  largest 
management  software  company, 
delivers  software  and  services  across  operations, 
security,  storage,  life  cycle  and  service  management 
to  optimize  the  performance,  reliability  and  efficien¬ 
cy  of  enterprise  IT  environments.  Under  its 
BrightStor®  brand,  CA  delivers  Intelligent  Storage 
Management  solutions  that  enable  businesses  to 
lower  management  costs,  achieve  greater  span  of 
control  of  their  storage  environment,  and  increase 
storage  utilization  in  order 
to  meet  the  on-demand 
requirements  of  ever-chang¬ 
ing  business  challenges. 

New  Intelligent  Storage  Management  solutions 
from  CA  address  the  business  problems  facing  com¬ 
panies  today  with  compliance,  business  continuity 
and  disaster  recovery,  security  concerns,  escalating 
costs  against  shrinking  budgets,  and  continuous 
data  growth. 

With  the  introduction  of  BrightStor®  ll.l,  CA  pro¬ 
vides  intelligent  storage  management  by  integrating 
and  automating  enterprise  storage  processes  and  by 
implementing  a  single  management  view  across 
those  processes.  It  prioritizes  data  protection  based 
on  business  value,  while  increasing  performance  via 
multi-streaming  and  multiplexing  capabilities.  By 
supporting  key  applications,  databases  and  sys¬ 


tems— Oracle,  Microsoft  SQL  Server,  Microsoft 
Exchange,  SAP  R/3  and  many  others— BrightStor®  ll.l 
helps  ensure  business  continuity,  fast  access  to  data 
and  compliance  with  data  retention  regulations. 

MANAGE  AND  PROTECT  ACROSS  MULTIPLE 
PLATFORMS 

With  BrightStor®  11.1  solutions,  organizations  can 
better  leverage  their  investments  in  storage  infra¬ 
structure  and  devices  by  managing  and  protecting 
greater  volumes  of  data  across  multiple  platforms— 

including  Windows,  UNIX, 

^  Linux,  NetWare,  and  main- 

Computer  Associates®  frame  z/os_jn  a  common 

manner.  Managers  can  make 
informed  decisions  about  resource  allocation  based 
on  the  business  value  of  data  assets  and  specific 
operational  requirements,  enabling  them  to  prioritize 
investments  in  high-value  data.  IT  organizations  can 
also  reclaim  unused  capacity,  increase  the  efficiency 
of  backup  and  restore  processes,  and  maximize  staff 
productivity. 

CA  offers  its  BrightStor®  Intelligent  Storage 
Management  solutions  under  Storage  Management, 
Data  Availability,  Information  Life  Cycle  Management 
and  Mainframe  Storage. 

For  additional  information, 
visit  www.ca.com/brightstor 


REAL-WORLD  PAYOFF: 

SAN  SUPPORT  FOR  E-BUSINESS 

Hong  Kong-based  brokerage  CLSA  Ltd.,  a  subsidiary  of  France’s  Credit  Agricole/Credit  Lyonnais  Bank,  needed  a  con¬ 
tinuously  available  IT  infrastructure  and  a  storage  area  network  capable  of  automatic  recovery.  The  firm  chose  an 
EMC  Corp.  solution  consisting  of  two  EMC  Symmetrix  storage  systems,  EMC  Connectrix  directors  and  software 
including  EMC  TimeFinder,  EMC  SRDF,  EMC  PowerPath,  ResourcePak  for  NT,  EMC  Replication  Manager  and  EMC 
ControlCenter  storage  management  software. 

As  a  result,  CLSA  was  able  to  launch  its  electronic  transaction  business.  Now,  50  percent  of  CLSA  transactions  are 
conducted  electronically,  up  from  5  percent.  The  infrastructure  also  enables  CLSA  to  create  testing  environments  for 
new  services  in  less  than  30  minutes — something  that  previously  took  15  to  16  hours.  And  during  the  outbreak  of 
Severe  Acute  Respiratory  Syndrome  (SARS)  last  year,  the  brokerage  barely  skipped  a  beat — its  new  infrastructure 
enabled  more  than  half  of  its  staff  to  work  from  home. 


16  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


Q 


•  What  are  the  top  reasons  you  have 

•  implemented  or  are  considering  a 
storage  network? 


Percentage  of  respondents  who  answered  .  .  . 

Consolidate  existing  capacity  26% 


Manage  growth  18% 


Improve  storage  management  capability  18% 


Improve  backup  and  recovery  10% 


Improve  disaster  recovery  and  business  continuance  5% 


Provide  more  efficient  provisioning  5% 


I 


Implement  virtualization  1% 


Other  1% 


Source:  Top  Ten  Pain  Points  Survey  Results  Report,  prepared  by  the  Storage  Networking  Industry  Association  End 
User  Council,  May  2004 


Duplessie,  founder  and  senior  analyst 
at  the  Enterprise  Strategy  Group,  a 
Milford,  Mass. -based  research  firm. 

“All  the  benefits  you  got  from  your 
fiber-channel  SAN — increased  avail¬ 
ability,  performance,  utilization, 
etc. — are  absolute  now,  so  the  mission 
is  to  increase  the  ‘touch,’  the  amount 
of  servers  sharing  in  these  benefits. 

With  iSCSI,  instead  of  SANs  with  50 
servers,  we  can  have  SANs  with  5,000 
servers.  It’s  not  an  either-or  scenario, 
it’s  a  combination,  with  fiber  channel 
at  the  core  of  your  big  stuff  for  a  long, 
long  time.” 

What  about  shared  data? 

When  diverse  computer  systems  and 
platforms  exchange  data,  traditional 
SANs  can’t  help,  so  users  have  been 
stuck  with  slow  access  methods  (NFS, 

CIFS,  FTP).  This  significantly  degrades 
performance  in  intensive  computing 
environments,  such  as  those  demand¬ 
ing  advanced  visualization  capabilities, 
where  user  workflow  depends  on 
timely  access  to  and  sharing  of  large 
files  that  typically  create  struggles  for 
conventional  network  file  systems. 

The  solution?  A  SAN  file  system,  such  as  CXFS  from 
Silicon  Graphics  Inc.,  in  which  one  system  on  the  SAN  acts 
as  a  metadata  server,  controlling  file  permissions  and 
mediating  shared  access — and  allowing  all  SAN  systems 
simultaneous  high-speed  access  to  the  same  file  systems 
and  files.  There’s  no  file  server  through  which  all  data  must 
travel,  and  no  file  server  bottlenecks  to  slow  down  per¬ 


formance.  A  single  system  can  have  multiple  connections, 
enabling  data  rates  of  multiple  gigabytes  per  second.  Once 
the  metadata  server  grants  access,  systems  can  read  and 
write  data  directly  over  the  SAN  to  and  from  disks.  Add  in 
fail-over  redundancy  and  RAID  storage,  and  the  result  is 
very  high  availability  and  a  path  to  needed  data  even  when 
some  systems  have  failed.  SD 


SOLUTIONS  C 

ENT 

E 

R 

Ocidciptec 

mention  code  CIO 


www.adaptec.com 

Adaptec  delivers  reliable  storage  solutions  that  drive  new  levels  of  effi¬ 
ciency,  performance  and  ease-of-managementin  direct-attached  storage 
(DAS)  and  networked  storage  solutions.  The  Adaptec  solution  offering 
includes  a  range  of  complete  storage  solutions  tailored  to  meet  specific 
application  and  budget  reguirements. 


STRATEGIC  DIRECTIONS  17 


Intransa,  Inc.  (headquarters) 

2870  Zanker  Road.  Suite  200 
San  Jose,  CA  95134 
Main:  408.678.8600 
Fax:  408.678.8800 
sales@intransa.com  408-678-8746 

www.intransa.com 

The  Intransa  IP  SAN  Storage  System,  designed  specifically  for  SMB, 
Departments  and  Enterprises,  delivers  the  functionality  and  scalability  of  an 
enterprise-call  SAN  solution  at  much  lower  cost.  It  is  easy  to  install  and  use 
while  providing  excellent  performance  and  reliability.  Intransa  is  enabling 
businesses  to  improve  overall  productivity  and  business  continuity. 


intransa 


where  the  payoffs  are 


ADVERTISING  SUPPLEMENT 


RELIABLE  BACKUP  AND  If  y  V 

Solutions 


« 


IN  SPITE  OF  ITS  MATURITY,  backup  is  Still 
inherently  unreliable  and  costly.  Failure 
rates  exceed  40  percent  in  most  large 
enterprises,”  says  Drake  Pruitt,  vice  presi¬ 
dent  of  marketing  at  Bocada  Inc.,  a  stor¬ 
age  software  vendor  in  Bellevue,  Wash. 

Meanwhile,  60  percent  of  small  and  midsize  companies 
participating  in  a  study  by  the  Enterprise  Strategy  Group,  a 
Milford,  Mass. -based  research  firm,  said  backups  take  too 
long,  and  49  percent  said  recoveries  take  too  long.  “To  han¬ 
dle  the  exponential  growth  in  data,  companies  overspend 
on  redundant  attempts,  capacity  provisioning  and  in  some 
cases,  staffing,”  Pruitt  says. 


Oh,  the  pain 

No  wonder.  Successful  data  backup  matters  now  more  than 
ever.  Surveys  by  Coughlin  Associates  Inc.,  a  storage-consult¬ 
ing  firm  in  Atascadero,  Calif.,  point  to  the  rising  cost  of 
downtime.  In  one  study,  26  percent  of  respondents  pegged 
their  organization’s  downtime  costs  at  $10,000  to  $100,000 
per  hour.  Another  15  percent  estimated  costs  at  $100,000  to 


REAL-WORLD  PAYOFF: 
CONSOLIDATING  BACKUP 

Southeastern  Freight  Lines,  a  transportation  com¬ 
pany  based  in  Lexington,  S.C.,  faced  significant  IT 
costs  and  storage  management  challenges  in  sepa¬ 
rately  backing  up  two  critical  computing  environ¬ 
ments.  The  company  implemented  EMC  Corp.’s 
Legato  Net  Worker  to  consolidate  the  backup  of  both 
systems,  which  contained  logistical,  order  tracking, 
and  business  information  and  applications.  The 
result:  Reduction  of  the  company’s  full  backup  win¬ 
dow  from  12  hours  to  three,  improved  productivity, 
decreased  maintenance  costs  and  increased  utiliza¬ 
tion  of  existing  hardware.  The  change  also  eliminated 
the  need  for  duplicate  backup  equipment  and  associ¬ 
ated  licensing  fees. 


$1  million  per  hour,  and  nearly  10  percent  said  downtime 
costs  them  more  than  $1  million  per  hour. 

“The  issue,”  says  Pruitt,  “is  not  how  to  control  complexity, 
but  rather  how  to  ensure  delivery  of  quality  services  to  support 
the  business  against  the  backdrop  of  growing  complexity.  To 
do  this,  CIOs  need  tools  and  analytic  support  to  measure, 
gauge  and  inform  their  staff  of  areas  of  service  shortfalls.” 

Tools  that  automate  the  collection  of  backup  perform¬ 
ance  data  allow  IT  staff  to  identify,  remedy  and  prevent 
chronic  sources  of  error,  he  notes.  They  also  optimize 
workflow,  infrastructure  and  operations  that  ensure  align¬ 
ment  with  business  needs. 

“The  net  results,”  Pruitt  says,  “are  higher  success  rates, 
reduced  capital  consumption  and  compliance  with  internal 
and  external  policies.” 


Put  out  those  fires 

Pulling  your  staff  out  of  the  constant  data  backup/restore 
mode  requires  taking  a  series  of  steps: 

1  Assess  the  state  of  your  data  backup  service  delivery. 

Conduct  an  enterprise-wide  audit  of  current  backup 
performance.  Most  needed  information  can  be  gleaned 
from  analysis  of  existing  backup  logs — up-to-date  through¬ 
puts  and  loads,  consolidated  reports  about  current  and  past 
performance,  data  availability  and  incidents. 

2  Find  out  what  your  business  really  needs. 

Talk  with  internal  customers  to  define  their 
backup/restore  expectations,  establish  benchmarks  (such  as 
restore  time  and  compliance  requirements)  that  define  suc¬ 
cess,  and  translate  these  into  service-level  agreements. 

3  Identify  where  you  must  improve. 

Begin  by  comparing  current  and  desired  quality  of 
service  levels.  Then  figure  out  how  you  can  reach  the 
desired  levels  at  the  lowest  possible  cost. 

4  Fix  the  problems. 

This  means  troubleshooting  chronic  sources  of  backup 
error,  clearing  obvious  bottlenecks,  and  backing  up  “orphaned” 
systems  and  files.  It  can  also  mean  acquiring  the  new  systems 
and  software  needed  to  achieve  service  levels,  or  modifying 
service  levels  that  clearly  cannot  be  achieved.  Finally,  formal¬ 
ize  your  reporting  and  communications  efforts.  SD 


18  STRATEGIC  DIRECTIONS 


TO  HAVE  YOUR  BACKUPS  PROTECTED, 
CALL  FOR  ONE  OF  OUR  VEHICLES. 


With  Iron  Mountain,  your  backup  data  can  be  transported  by  road  or  by  wire.  Our  Electronic  Vaulting  Service 
is  another  dependable  way  to  have  your  data  protected  off-site.  And  without  the  need  for  an  IT  person  at  your 
branch  or  remote  locations. 

Electronic  Vaulting  also  means  your  files  are  backed  up  continuously,  further  reducing  the  risk  of  data  loss  if 
a  system  has  to  be  restored.  It  also  standardizes  your  backup  process  across  all  of  your  locations. 

For  a  copy  of  "Calculating  the  Cost  of  Downtime”,  visit  www.ironmountain.com/downtime  or  call  i-8oo-899-IRON. 

A  iron  Mountain  e 


©  2004  Iron  Mountain  Incorporated.  All  Rights  Reserved.  Iron  Mountain  and  the  design  of  the  mountain  are  registered  trademarks  of  Iron  Mountain  Incorporated, 


SILICON  GRAPHICS 


The  Source  of  Innovation  and  Discovery™ 


Now  there’s  no  such  thing  as  too  much  information.  Huge 
data  sets  that  were  once  the  problem  are  now  quickly 
becoming  part  of  the  solution.  SGI  InfiniteStorage  delivers 
the  complete  line  of  solutions  for  intelligent  consolidation, 
data  lifecycle  management  and  data  protection,  which  inte¬ 
grate  seamlessly  and  scale  infinitely  delivering  exceptional 
performance.  In  fact,  SGI  holds  the  world  record  for  data 
backup  and  restore.  So  no  matter  the  size  of  the  data,  you 
can  be  certain  the  solution  is  SGI.  sgi.com/lnfiniteStorage 


©  2004  Silicon  Graphics.  SGI  and  the  SGI  logo  are  registered  trademarks  and  The  Source  of  Innovation  and  Discovery  is  a  trademark  of  Silicon  Graphics,  Inc.  in  the  United  States  and/or  other  countries  worldwide. 


CSjSkBfersnecti  ves 


TM 


mk% 


Today’s  security  executives  are  required  tu 
perform  difficult  and  constant  balancing  acts 
between  the  art  and  science  of  security, 
continuously  weighed  against  the  needs  of 
the  business.  Getting  the  “science”  part  of  the 
equation  right  is  the  easier  part.  The  technolo¬ 
gies  are  known  entities,  and  better  ones  continue 
to  evolve.  There  are  quantitative  measurements 
around  such  issues  as  intrusion  detection,  foren¬ 
sics  and  regulatory  compliance,  along  with  more 
mature  attempts  to  quantify  the  ROI  of  security. 

It’s  the  “art”  of  security  that’s  the  harder  part— 
the  art  of  diplomacy,  of  persuasion,  of  getting 
into  and  understanding  other  mindsets.  It’s 
everything  from  establishing  security  procedures 
everyone  will  actually  follow.  It’s  fostering 
positive  relations  with  senior  executives  and  the 
board  of  directors.  It’s  getting  the  staff  to  think 
like  a  hacker  or  terrorist  to  get  ahead  of  potential 
threats. 


April  10-12, 2005 
Hyatt  Regency  Huntington  Beach 
Huntington  Beach,  CA 


Turn  the  page  for  more 

CSO  Perspectives  conference  details 


The  Resource  for 
Security  Executives 


SPEAKERS 


Michael  J.  Assante.  CSO, 

American  Electric  Power 

Bob  Bragdon,  Publisher,  CSO  Magazine 

David  Burrill,  CSO, 

British  American  Tobacco 

Roger  Cochetti,  Group  Director, 

US  Public  Policy,  CompTIA 

Bob  Hayes,  CSO,  CXO  Media  Inc.  & 

Former  CSO,  Georgia-Pacific  Corporation 

Nuala  Kelly,  Chief  Privacy  Officer,  DHS 
David  Kent,  CSO,  Genzyme  Corporation 

Lew  McCreary,  Editor  in  Chief, 

CSO  Magazine 

James  McDonnell,  Chief  Security  & 
Information  Officer,  USEC  and  Former 
Director,  Protective  Security  Division 
of  the  Information  Analysis  and  Infrastructure 
Protection  Office,  DHS 

Peter  Metzger,  Partner,  Heidrick  &  Struggles 

Bhavesh  Patel,  Vice  President, 

Information  Security,  Genzyme  Corporation 

John  Pontrelli,  CSO, 

TriWest  Healthcare  Alliance 

Jeffrey  Rosen,  Professor  of  Law,  George 
Washington  University  and  Author  of  The 
Naked  Crowd  and  The  Unwanted  Gaze 

Jeff  Rosenthal,  Vice  President, 

BlessingWhite,  Inc. 

Krizi  Trivisani,  CISO, 

George  Washington  University 

Ira  Winkler,  Industry  Guru  and  Author  of 
Corporate  Espionage  and  Spies  Among  Us 

Amit  Yoran,  Former  Director,  National  Cyber 
Security  Division  of  the  Information  Analysis 
and  Infrastructure  Office,  DHS 

Jonathan  Zittrain,  Conference  Moderator  and 
Cofounder,  Berkman  Center  for  Internet  & 
Society,  Harvard  Law  School 


For  more  information 

call  800.366.0246  or  visit 
www.csoonlme.com/conferences 


April  10-12,  2005 

Hyatt  Regency  Huntington  Beach 
Huntington  Beach,  CA 

We’ll  examine  this  complex  balancing  act  by  looking  at  what  the 
top  practitioners  are  thinking  and  doing,  and  by  listening  to  what 
leading  security  and  privacy  experts  think  will  affect  the  landscape 
of  the  future. 


Governance  and  Convergence: 
Getting  It  Right 

The  convergence  of  physical  and  informa¬ 
tion  security,  if  effectively  governed  within 
an  organization,  assigns  accountability  for 
security  strategy  and  business  plan  cre¬ 
ation  at  the  highest  levels.  It  can  enable 
company  leadership  to  identify,  prioritize 
and  balance  security  issues  and  needs  of 
the  business  through  a  more  comprehen¬ 
sive  approach. 

Enterprise  Risk  Management: 

A  Matter  of  Focus 

Looking  at  and  balancing  risk  on  an  enter¬ 
prise  level  is  the  only  effective  way  to  man¬ 
age  a  corporation  in  our  very  complex 
world.  Explore  now  enterprise  risk  man¬ 
agement  can  give  a  single  view  of  all  types 
of  risks,  and  an  executive-level  manage¬ 
ment  strategy  to  deal  with  them. 

Security  as  a  Business  Enabler 

Perhaps  the  hardest  part  of  security  is  to 
cost  justify  it  and  show  its  value  to  the 
business.  It's  like  buying  an  insurance  pol¬ 
icy— no  one  really  wants  to  spend  the 
money.  What  if  you  could  prove  that  secu¬ 
rity  really  can  add  value? 

What's  Privacy  Got  to  Do 
With  It? 

The  importance  of  balancing  privacy  and 
security  in  a  digital  age  is  only  overshad¬ 
owed  by  the  perceived  difficulty  of  actually 
doing  it.  The  current  economic,  legal,  and 
regulatory  challenges  after  9/11  have 
made  it  all  the  more  important  to  ensure 
the  adoption  of  good  laws  and  technolo¬ 
gies  that  protect  privacy  and  security  at 
the  same  time.  We  provide  a  roadmap. 


Regulatory  Rundown 

Is  security  on  the  way  to  becoming  a  fully- 
regulated  industry?  An  increasing— some 
say  alarming— number  of  official  commu¬ 
niques  from  legislative  bodies,  regulatory 
agencies  and  industry  consortia  around 
the  world  suggest  that  might  indeed  be  the 
case.  We  look  at  some  of  the  highest- 
impact  issues,  what  CSOs  can  do  to  make 
sense  of  it  all,  and  if  there’s  hope  in  being 
able  to  influence  future  legislation. 

The  Role  of  Government:  One 
Step  Forward,  Two  Steps  Back? 

The  US  government,  particularly  DHS,  has 
had  tremendous  opportunities  to  advance 
the  public  good  and  protect  the  American 
economy  by  strengthening  both  cyber  and 
physical  security  and  by  building  more 
cooperative  relationships  with  the  private 
sector.  But  there's  a  perception  that  it  has 
failed  to  seize  those  opportunities  and  to 
move  forward.  What  should  we  realistically 
expect— and  how  do  we  make  it  happen? 

The  Art  of  Persuasion: 

"Selling  Up"  in  the  Organization 

Senior  management  and  boards  of  direc¬ 
tors  often  still  view  security  as  an  incon¬ 
venient  cost  of  doing  business.  Many  CSOs 
today  have  yet  to  report  directly  to  the  CEO 
or  stand  before  their  organizations'  boards 
and  have  a  fair  way  to  go  before  they're 
taken  seriously  as  C-level  executives.  Each 
of  our  panelists  brings  a  unique  perspec¬ 
tive  to  helping  CSOs  perfect  the  art  of  per¬ 
suasion. 

Plus  More  Peer-to-Peer 
Networking  Opportunities 

CSO  Golf  Tournament 
Moderated  Discussion  Groups 
Luncheon  Discussion  Roundtables 
DrillDown  Breakout  Sessions 
Networking  Receptions 
Sponsor  Hospitalities 


Marketing  Security 


can  be  lost  while  the  emergency  services  tiy  to 
locate  you— which  in  the  event  of  a  serious 
accident  can  literally  make  the  difference 
between  life  and  death. 

For  the  past  two  years,  OnStar  has  been 
running  a  radio  advertisement  campaign  fea¬ 
turing  the  voices  of  real  callers.  “The  voices  are 
of  people  who  are  hurt  or  panicking  or  upset. 
They’ve  maybe  been  in  an  accident  or  are 
perhaps  trapped  in  a  vehicle,  and  the  doors  are 
locked,”  says  Young.  “People  listen  to  the 


Each  month,  on  average, 
OnStar  receives... 

reports  of  air  bag 
deployment 

stolen  vehicle 
notifications 

20f 000 remote 
vehicle  diagnostic  requests 

34,000  remote  door 

unlock  requests 

advertisements  and  understand  the  relevance 
of  the  service  we  provide  and  respect  us  for 
using  real  voices  of  the  people  we’ve  helped.” 
Tellingly,  he  adds,  “The  consumer  research 
we’ve  done  suggests  that  people  perceive  us  as 
an  emergency  service.”  And  for  a  business 
that’s  careful  to  advertise  itself  as  merely 
“peace  of  mind,”  that’s  quite  a  compliment. 


Malcolm  Wheatley  is  a  freelance  writer  based  in  the  United 
Kingdom.  Send  feedback  to  Editor  Derek  Slater  at 
dslaterQcxo.com. 


No  Holds  Barred 

Vince  McMahon  slams  those  who  dare  tread  on  his 
World  Wrestling  Entertainment  brand.  Read  “That’s 
Gonna  Leave  a  Mark”  from  the  October  issue  to  learn 
about  brand  protection  services.  Go  to 

www.csoonline.com/printlinks. 


2 


If  Van  Gogh  had  a  say  in  Website  Security, 
his  statement  would  be  the  same  as 
Peters  Galleries’:  “BRICKServer®  2" 

His  next  statements  would  be,  "No  patching  required™!"  and  "The 
only  hack-resistant  web  server  of  its  kind!"  That's  right,  thanks  to  the 
process-based  security  of  "BRICKServer®2",  the  Peters  Galleries  are 
assured  their  website  content,  transaction  records,  and  client 
information  are  kept  completely  secure  -  and  that's  worth  a  lot. 


O  SAGE 


C/D-  Call  1-800-580-0025  or  visit  www.sage-inc.com  to  learn  more. 


Web,  E-mail  and  FTP  Software 
Secure  Remote  Administration 
Built-in  Security  Policy 
Worry-Free  Maintenance 
No  Patching  Required 


is  recognized  as  one  the  world's largest  and  most 
respected  dealers  of  19th  and  20fh  Century  American  art 


THE  PETERS  GALLERY 


December  2004  www.csoonline.com  51 


Fiction 


A  first  encounter 
between  two  security 
executives— one  a 
“cop,”  the  other  a 
“geek.”  Can  they  find 
mutual  understanding 
and  even  love)? 
By  rodd  uatz 


THE  SCENE 


A  trendy  restaurant  in  downtown  Chicago.  Jake  DeLaw, 
CSOfor  a  large  consumer  products  company,  taps  his  fin¬ 
gers  on  the  table,  checks  his  watch  and  keeps  his  eye  out for 
a  5’7”  brunette  in  a  black  pantsuit.  He’s  nervous;  it’s  the 
first  date  he’s  had  since  his  wife  up  and  left  him  10  months 
ago  for  one  of  his  former  FBI  buddies,  the  weasel.  He  sur¬ 
veys  the  room,  putting  to  memory  the  location  of  the  emer¬ 
gency  exit,  a  habit  he  picked  up  during  his  years  in  the 
bureau.  Cripes,  it’s  loud  in  here,  DeLaw  thinks,  as  synthe¬ 
sizer-heavy  Europop  music  cranks  through  the  speakers 
(why  can’t  they  play  Sinatra  or  Bennett?)  and  mixes  with 
the  high-pitched  buzz  of  twenty  somethings  throwing  back 
fluorescent  drinks  and  shouting  over  each  other. 

Melissa  Hardrive  strides  into  the  restaurant.  Hardrive  is 
the  CISO  for  a  national  trucking  company.  She’s  recently 
ended  a  relationship  with  her  Pilates  instructor  and  only 
grudgingly  agreed  to  meet  Mr.  DeLaw,  a  friend  of  a  friend. 
She  eyes  a  slightly  graying,  square-jawed  man  in  a  dark 
suit  and  tie,  collarless  shirt  sitting  by  himself  and  guesses 
she’s  spotted  her  dinner  companion.  The  hostess  leads  her  to 
his  table. 


52  www.csoonline.com  December  2004 


DeLaw  (standing  up,  offering 
his  hand):  Hi  Melissa,  Jake 
DeLaw.  Very  nice  to  meet  you. 

Hardrive:  Melissa  Hardrive. 
It’s  a  pleasure.  (They  sit;  the 
server  brings  over  two  menus 
and  a  wine  list.  They  chat 
briefly  about  the  weather  and 
the  price  of  oil.  When  the  server 
appears,  DeLaw  orders  a  crab- 
cake  appetizer  and  a  rib  eye  for 
an  entree,  Hardrive  the  foie  gras 
ravioli  and  striped  bass.  After 
some  discussion,  they  agree  on  a 
bottle  of  Bordeaux.  Hardrive 
notes  DeLaw  s  ease  in  navigat¬ 
ing  the  wine  list;  she  was  half 
expecting  him  to  ask  what  light 
beers  they  had  on  tap.) 

DeLaw:  Well,  I  never 
expected  to  be  having  dinner 
with  another  security  type.  I 
understand  you  head  up  infose- 
curity  at  Bigwheels? 

Hardrive:  Yes.  And  you’re  the 
CSO  at  Skindeep? 

DeLaw:  Yeah,  I’ve  been 
there  two  years  now.  I’m  the 
knuckle-draggin’  corporate  cop, 
making  sure  our  shampoos  and 
lotions  make  it  to  your  bathroom 
in  an  unadulterated  fashion. 

Hardrive:  And  what  did  you 
do  before  you  entered  the  world 
of  glamour? 

DeLaw:  Well,  let’s  see,  I 
spent  15  years  with  the  Chicago 
PD,  then  joined  the  FBI  some¬ 
time  around  1990.  After  a  dozen 
years  or  so,  I  realized  that  put¬ 
ting  three  kids  through  college 
was  going  to  be,  uh,  a  bit  of  a 
challenge.  That’s  when  I  decided 
to  jump  ship  for  the  huge  bucks. 
(He  chuckles .)  And  you?  How 
long  have  you  been  at  Bigwheels? 

Hardrive:  Seven  years.  Before 
that  I  worked  at  an  insurance 
company,  before  that  a  software 
company,  and  before  that  I  was 
a  geology  major.  IT  security,  in 
my  view,  begins  with  rocks. 


ILLUSTRATIONS  BY  MARILENA  PERILLI 


DeLaw:  I  see.  I  was  an  eco¬ 
nomics  major  myself.  But  the 
opportunity  to  wear  a  badge, 
carry  a  nightstick  and  scream, 
“Hands  on  your  head!”  won  me 
over. 

Your  CSO  is  Bill  Krimeseen, 
right?  Good  guy.  Old  school. 

Hardrive:  More  like  ancient 
school.  I’ve  been  trying  to  con¬ 
vince  him  for  years  that  he 
needs  to  get  a  better  handle  on 
technology,  but  he  shuns  it  like 
kryptonite.  He  still  has  that 
stovepiped  mind-set  that  secu¬ 
rity  is  all  about  guards,  guards 
and  more  guards,  and  that  IT 
security  is  best  handled  by  us 
“pinheads”— his  term.  When  I  or 
the  other  members  of  my  staff 
sit  down  and  try  to  explain  to 
him  what  we’re  doing,  he  barks 
that  everything  we’re  trying  to 
tell  him  is  unintelligible.  Just 
last  week  I  tried  to  talk  to  him 
about  a  TCP  port  80  problem, 
and  his  eyes  glazed  over  like  a 
Krispy  Kreme. 

DeLaw  (a  bit  taken  aback 
by  her forthrightness  and  now 
feeling  a  little  defensive ): 
Hmm...not  sure  I  blame  him. 
When  you  throw  terms  like  that 
around,  most  folks  outside  the 
IT  domain  are  going  to  lose 
interest  pretty  quickly.  I’ve 
spent  a  bit  of  time  with  my 
CISO  the  last  two  years  trying  to 
gain  some  understanding  of  our 
company’s  systems,  and  I  have 
to  admit,  it  can  be  an  exercise  in 
frustration  at  times. 

You  also  need  to  remember 
that  it’s  rare  to  find  someone  in 
a  C-suite  or  on  a  board  who 
knows  how  to  get  down  and 
dirty  with  IT,  who  knows  the 
difference  between  a  firewall 
and  a  fire  exit.  So  I’m  responsi¬ 
ble  for  taking  all  the  techie  talk 
and  turning  it  into  plain  English 
for  them.  With  a  few  colorful 


December  2004  www.csoonline.com  53 


Fiction 


charts  thrown  in  of  course. 

Hardrive:  I'll  admit  that 
sometimes  we  can  be  a  little  too 
liberal  with  our  acronyms.  But 
frankly,  Jake,  I’m  sick  and  tired 
of  hearing  that  lame  old  com¬ 
plaint  over  and  over  again.  It’s  a 
new  world.  Get  used  to  it.  I’m 
talking  about  my  CSO,  of  course. 
You  sound  a  little  more  enlight¬ 
ened— I  think.  (She  smiles.) 

(Appetizers  arrive.  The  con¬ 
versation  switches  to  the  recent 
election,  da  Bears,  the  best  South 
Side  hot  dog  joints,  before  return¬ 
ing  to  their  chosen  profession.) 


CULTURAL 

DIVIDE 

DeLaw:  So  how  does  the  IT 
staff  at  Bigwheels  view  Bill? 
Does  he  scare  the  bejeezus  out 
of  them? 

Hardrive:  Let  me  preface  my 
answer  by  saying  that  I  like  Bill. 
But  he  does  intimidate  some 
people.  It  could  be  the  crew  cut; 
or  perhaps  his  fondness  for 
expertly  weaving  vulgarities  into 
his  sentences. 

DeLaw:  Speaking  as  a  CSO, 
I  will  say  that  I’ve  been  the  tar¬ 
get  of  many  zingers  from  the  IT 
department.  I’m  the  big,  bad 
guy  who  puts— heaven  forbid!  — 
controls  on  their  access.  Take 
developers,  for  example.  They 
love  to  leave  doorways  into  their 


applications  so  that  when  prob¬ 
lems  hit  they  can  get  into  them 
more  quickly;  it’s  more  conven¬ 
ient  for  them.  But  these  are  the 
same  doorways  that  the  bad 
guys  exploit. 

When  there  is  an  attack  from 
the  outside,  the  techies  do  a 
good  job  trying  to  put  the  fire 
out  and  preserving  the  integrity 
of  the  system.  But  a  lot  of  times, 
in  the  process,  they  accidentally 
destroy  evidence.  That  makes 
my  job  tougher;  when  I  come  on 
the  scene,  I  need  to  preserve  any 
and  all  evidence— where  the 
adversary7  came  from,  how  he 
got  in.  I  need  that  evidence  for 
investigation  and  prosecution 
purposes.  Sometimes  it  ain’t 
there;  that  gets  my  dander  up. 

Hardrive:  I  hear  what  you’re 
saying,  Jake.  But  you’ve  got  to 
remember,  the  IT  staff  is  con¬ 
stantly  under  the  gun  to  please 
the  business  units,  to  make  sure 
productivity  never  suffers  or  hits 
any  bumps.  Sometimes  that 
pressure  leads  people  to  take 
shortcuts.  I’m  not  defending  the 
fact  that  security  concerns  are 
often  secondary  to  efficiency, 
but  with  the  cost-cutting  of  the 
last  few  years,  there  are  fewer 
techies  responsible  for  more  sys¬ 
tems.  So  they  do  what  they  can 
to  make  their  jobs  a  little  easier. 
That’s  the  reality. 

Frankly,  Bill  hasn’t  gained  the 
respect  of  the  IT  staff,  since  he’s 
out  of  his  element  when  it  comes 


to  technology.  You  know,  a  num¬ 
ber  of  us  infosecurity  types  think 
it’s  easier  to  take  a  techie  and 
make  him  a  cop  than  take  a  cop 
and  make  him  a  techie.  Here’s 
my  theory:  A  classically  trained 
physical  security  person  uses  all 
five  senses  to  process  informa¬ 
tion  and  figure  out  solutions.  If 
you  take  him  out  of  that  world 
and  put  him  in  a  cyberenviron- 
ment,  he’s  forced  to  rely  on  just 
his  visual  sense,  what  he  can  see 
on  a  screen.  That’s  a  struggle  for 
most  of  them. 

DeLaw:  Wow.. .can’t  say  I’ve 
heard  that  line  of  reasoning 
before.  I  don’t  think  the  fact  that 
I  can’t  smell  a  computer  hinders 
my  ability  to  get  a  handle  on  a 
cybersecurity  event. 

Maybe  your  theory  is,  in  fact, 
senseless.  (He  grins,  hoping  she 
isn  ’t  too  offended.) 

But  let’s  get  back  to  controls 
for  a  second.  The  IT  folks  com¬ 
plain  that  their  freedoms  have 
been  taken  away,  even  when  the 
most  basic  controls  are  imple¬ 
mented.  I’m  talking  about  pass¬ 
words  failing  after  a  few  invalid 
attempts;  passwords  expiring 
every  90  days;  monitoring 
privileged  users.  Cripes,  when  I 
joined  the  company,  thousands 
of  people  had  privileges.  It  was 
more  uncontrolled  than  a  wilde¬ 
beest  stampede. 

From  a  security  point  of  view, 
I  think  the  most  dangerous  per¬ 
son  in  the  company  is  the  LAN 


administrator.  They  have  the 
keys  to  the  kingdom.  Worse, 
sometimes  they’re  nonexempt, 
hourly  workers,  or,  and  this 
blows  my  mind,  the  job  is  out¬ 
sourced.  That’s  scary. 

( Entrees  are  delivered.) 


RISKY 

BUSINESS 

Hardrive:  It  is  scary— and 
that’s  why  all  my  privileged  users 
are  monitored.  I  know  the 
threats  we  face  both  inside  and 
outside,  and  my  job  is  to  worry 
about  them  day  in  and  day  out. 
That’s  where  I  think  a  lot  of  you 
physical  guys  fall  short;  it’s  hard 
for  you  to  adjust  your  mind-set— 
those  five  senses  I  talked  about 
earlier— to  the  new,  virtual 
threats.  I  understand  why;  you’re 
used  to  measuring  and  mitigat¬ 
ing  risk  by  relying  on  years  of 
legacy  data— such  as  crime  rates 
in  cities  or  the  likelihood  of 
someone  stealing  a  laptop.  CISOs 
can’t  rely  on  such  data.  Every  day 
there  are  new  threats,  yet  no  risk 
metrics  to  measure  those  threats. 
If  there’s  a  zero-day  exploit,  we 
need  to  be  prepared  for  that.  This 
lack  of  good  risk  data  is  one  of 
the  reasons  CISOs  sometimes 
have  trouble  communicating 
with  CEOs  and  boards.  Those 
folks  understand  the  physical 
guys  when  they  talk  about  risk; 


54  www.csoonline.com  December  2004 


Who’s  Your  Type? 


Most  CSOs  fall  into  one  of  10 
categories,  says  our  anonymous 
columnist.  Which  one  best  describes 
you?  Read  “A  Rogue's  Gallery"  from 
the  April  issue  to  find  out.  Go  to 
www.csoonline.com/printlinks. 


powers  that  be  at  Skindeep 
understand  the  need  for  the  two 
positions  to  work  together,  not 
in  isolation.  Though  we  can 
probably  do  more  on  that  score. 

Hardrive:  But  here’s  the 
kicker,  Jake.  I  think  the  primary 
focus  of  the  new,  improved  CSO 
will  be  infosecurity.  With  all  the 
new  regs  in  place— Gramm- 
Leach-Bliley,  Sarbanes-Oxley 
and  the  like— boards  are  going 
to  see  the  light;  they’ll  start  to 
understand  how  important 
infosecurity  is.  They’re  going  to 
understand  that  we  virtual 
mavens  have  the  chutzpah  and 
the  know-how  to  combat  the 
moving  targets  that  threaten  to 
wreak  havoc  with  our  networks. 

In  short,  Jake,  I  think  it’s  the 
CISO  who’s  going  to  become  the 
CSO.  There,  I  said  it.  Please 
don’t  hit  me  over  the  head  with 
your  steak. 

DeLaw  ( laughing ,  shaking 
his  head):  And  here  I  thought 
this  dinner  was  going  so  well. 
Melissa,  you  and  your  kin  will 
need  to  jump  up  a  few  levels— 
and  get  out  of  IT— before  you 
get  to  breathe  the  rarified  air 
I’m  inhaling. 

Maybe  at  that  point,  you  and 
I  can  revisit  your  prediction  over 
dinner.  But  I  fear  I’ll  be  real 
hungry'  by  the  time  that  comes 
to  pass.  So  how  about  next  week? 

Hardrive:  Perhaps.. .though 
I’m  still  not  used  to  the  idea  of 
being  seen  with  a  knuckle-drag- 
ger  in  public. 

DeLaw:  For  being  prehis¬ 
toric  beasts,  we  sure  dress  a 
heck  of  a  lot  better  than  you.  & 


December  2004  www.csoonline.com  55 


it’s  harder  for  them 
to  comprehend  vir¬ 
tual  risk. 

That  makes  my 
job— if  I  may  lose 
my  humility  for  a 
second— more 
complex  in  many 
ways  than  that  of  the 
traditional,  physical 
security  exec’s.  That  guy 
has  a  limited  checklist  of 
things  that  need  to  be  right  to  be 
good;  once  you’ve  got  proximity 
badges,  guards,  locks  and  cam¬ 
eras,  you  have  a  pretty  secure 
infrastructure.  I,  on  the  other 
hand,  have  a  list  of  150  things  I 
need  to  worry  about;  in  a  big 
company,  I’m  dealing  with  vul¬ 
nerabilities  that  pop  up  hourly- 
such  as  someone  doing  a  mar¬ 
keting  research  project  who 
introduces  a  new  Web  server 
and  website  that’s  insecure,  or 
that  inadvertently  creates  a  tun¬ 
nel  into  a  database.  We’re  often 
accused  of  being  overly  para¬ 
noid;  that’s  why. 

DeLaw  (making  hacking 
noise):  Please  pardon  me 
(cough),  must  have  gotten  an 
asparagus  spear  (cough)  caught 
in  my  throat. 

Melissa,  you’re  grossly  under¬ 
estimating  the  responsibilities  of 
the  CSOs  I  hang  out  with.  You 
don’t  really  believe  that  cameras 
and  locks  and  guards  comprise 
my  whole  security  portfolio,  do 
you?  Let  me  tick  off  a  list  of 
some  things  we  do  that  you 
probably  never  think  about. 

Take  background  checks,  for 
example.  I’m  guessing  you’d  be 
happy  to  know  the  folks  that 
work  in  the  offices  next  to  you 
aren’t  convicted  felons  or  poten¬ 
tial  troublemakers.  Along  the 
same  lines,  you  and  your 
co workers  work  in  a  safe  office 
environment,  partly  because  of 


the  cameras,  guards  and  access 
control  measures  that  some  peo¬ 
ple  find  a  nuisance. 

How  about  risk  manage¬ 
ment?  Take,  for  example,  all 
those  outsourced  IT  vendors  my 
IT  department  works  with  in 
India  and  China  and  Russia. 
Many  people  at  Skindeep  don’t 
realize  that  we  vet  those  compa¬ 
nies  thoroughly,  making  sure 
they  have  strong  physical  and 
information  security  measures 
in  place,  before  any  contracts 
are  signed.  We  also  ensure  the 
safety  of  our  employees  abroad, 
whether  they’re  traveling  or  sta¬ 
tioned  overseas.  My  department 
also  makes  sure  that  every  link 
in  our  supply  chain  is  in  compli¬ 
ance  with  our  policies  and  proce¬ 
dures,  which  keeps  our  products 
safe,  keeps  costs  down  and  pre¬ 
serves  our  brand  integrity. 

I  haven’t  even  mentioned 
crime  investigations,  crisis  man¬ 
agement  and  business  continu¬ 
ity.  Oh,  there,  I  just  did.  So, 
Melissa,  while  I  appreciate  all 
you  have  to  do  to  maintain  a 
safe  network,  I  hope  you’ll  open 
up  your  eyes  to  the  multitude  of 
areas  that  I  manage  as  well.  It’s 
a  pretty  full  plate. 

Speaking  of  full  plates,  how’s 
your  fish? 

Hardrive:  Quite  good,  quite 
good.  Your  rib  eye? 


Hardrive  (chuckles):  Okay 
Jake,  I  admit  I  may  have  under¬ 
estimated  your  responsibilities. 
Perhaps  it’s  because  I’ve  been 
dealing  with  so  many  new  and 
ever  more  creative  cyberthreats 
during  the  past  few  years  that 
I’ve  inadvertently  put  some 
blinders  on  to  the  other  threats 
facing  companies  like  Bigwheels 
and  Skindeep.  You’ve  motivated 
me  to  reach  out  to  Mr.  Krime- 
seen,  to  make  a  greater  effort  at 
improving  our  working  relation¬ 
ship.  In  fact,  there’s  a  disaster 
recovery  meeting  I  was  going  to 
send  one  of  my  managers  to  next 
week;  I  think  I’ll  attend  myself. 

(They  order  another  bottle  of 
wine.  Hardrive,  on  a  roll,  decides 
to  share  her  vision  of  the  CSO 
future.) 

I  have  another  theory  that 
may  shock  you.  I  think  my  job  is 
going  to  go  away  as  an  executive 
position  in  the  future.  Why? 
Because,  as  you  said  earlier,  it’s 
hard  for  other  senior  execs  to 
relate  to  a  CISO;  they  lack  the 
technical  background.  They 
understand  surveillance  cam¬ 
eras  and  exposed  doors,  but  they 
don’t  understand  open  ports  or 
rogue  devices  being  hooked  up 
to  networks.  I  think  infosecurity 
will  morph  over  to  the  physical 
side,  that  we’ll  begin  to  see  true 
convergence. 

DeLaw:  Well,  I  can’t  dis¬ 
agree  with  you....I  do  think  the 
CSO  and  CISO  roles  need  to  be 
integrated.  I’m  fortunate  the 


DeLaw:  Per¬ 
fect.  I  popped  an 
extra  Lipitor 
before  I  left  my 
house  to  make  sure  I 
had  a  guilt-free  time. 


DETENTE 


In  Prohibition-era  America, 
vast  bootlegger  syndicates 
smuggled  in  spirits  from 
the  Pacific  and  Atlantic. 

Their  offshore  fleets  used 
sophisticated  codes  and 
ciphers  to  encrypt  radio 
transmissions.  To  combat 
the  problem,  the  Coast 
Guard  called  in  Elizebeth 
Smith  Friedman  and  her  team 
of  federal  cryptanalysts  to 
decipher  messages  seized 
in  a  1931  New  Orleans  raid. 

In  the  end,  the  plaintext 
decryptions  led  a  grand  jury 
to  indict  35  rumrunners;  six 
bosses  and  smugglers  were 
convicted  and  sentenced  to 
prison  on  federal  conspiracy 
charges.  The  culture  of 
mobsters  and  speakeasies 
was  dealt  a  serious  blow. 


Code  making  and  breaking 
continue  to  play  a  crucial  role 
in  international  intelligence 
gathering,  law  enforcement 
and  global  trade.  Join  us 
at  RSA'  Conference  2005 
and  learn  new  ways  to 
protect  your  enterprise  from 
today's  information  security 
hoodlums,  or  secure  your 
application  from  a  new  breed 
of  hacker-bootleggers! 


Cisco  Systims 


Platinum 

Sponsors: 


Microsoft 


Compute*  Associates 


^  Qualys 


^  Symantec 

V^riSigrf 


microsystems 


TippingPoint 


Platinum 

Media 

Sponsor: 


Register  by  January  14  at 
www.rsaconference.com 
and  save  $400  off  the 

standard  registration  rate! 


source 


IRE  WORLD'S  LEADING  INFORMATION  SECURITY  CONFERENCE  AND  EXPO 


RSA  Conference  2005 


February  14-18  •  Moscone  Center  •  San  Francisco 


Join  the  best  and  the  brightest 


in  the  security  industry  at  the 
largest  gathering  of  information  security  professionals  in  the  v 


RSA®  Conference  2005  has  something 
for  everyone.  From  high-level  strategic  outlooks 
to  development  workshops,  from  implementation 
techniques  to  post-attack  forensics,  from 
competitive  industry  analyses  to  mathematics 
and  number  theory  ...  if  your  job  touches  security, 
you  need  to  be  at  this  Conference. 


RSA  Conference  2005  offers  class  sessions 
in  the  following  tracks: 


Applied  Security  •  Implemented 

Business  of  Security  •  Perimeter  Defense 

Cryptographers  •  Privacy,  Law  &  Policy 

Developers  •  Professional  Development 

Government  •  Secure  Web  Services 

Hackers  &  Threats  •  Security  Solutions 

Identity  &  Access  •  Standards 

Management  .  Wireless  &  Embedded 


1 0,000+  attendees  expected 


prgrfnization^iejtpected  to  participate 


^  a*  ‘-  ’V  ‘ '  '  For  more  information,  visit  www.rsaconference.com 

class  schedal# >  200  workshops  and  T  ........  ..  , 

f  •••..-,  I  To  sponsor  or  exhibit,  please  call +1  (617)  848-8756 

seminars  ot  unparalleled  breadth;  &  depth; 

.  .'V  V.'  '■  '  '  .  ■  ■  ;  ■  ■ 

iv !.  *  •Jf?''1*''.  A)1"  ;  •  •  ‘  A  *.  y .  j  ’<  ....  ’f  v-*!  ‘k,  y  i.  i‘V  '•>  |V\'  tM,’  i'  .  .•  •  ■  ,•  •.Vi/*  >  .  .I'Yt,*’ 

RSA,  the  RSA  Conference  logo  and  the  RSA  Security  logo  are  registered  trademarks  of  RSA  Security  Inc.  All  other  marks  are  trademarks  of  their  respective  companies.  ©  2004-2005  RSA  Security  Inc.  All  rights  reserved 


::w! 


Technologies,  Tools 
and  Tactics 


Go  with  the  Flow 


Packet  flows  can  help  you  monitor  your  network,  trace  a  hacker’s 
footsteps  and  see  how  your  VPN  is  used  By  Simson  Garf  inkel 


ACKET  FLOWS  ARE 
quickly  becoming  one  of  the  most  powerful 
tools  to  understand  network  dynamics  and  a 
variety  of  network-based  security  incidents. 
Flows  are  powerful  because  they  are  com¬ 
pact  and  easy  to  acquire,  but  nevertheless 
track  the  movements  of  every  single  packet 
that  travels  over  your  network.  As  a  result, 
you  can  use  flows  not  only  to  diagnose  net¬ 
work  inefficiencies  and  bottlenecks,  but  also 
to  trace  the  source  of  virus  infections  and 
even  gauge  the  extent  of  a  hacker’s  snooping. 


A  packet  flow  is  really  nothing  more  than 
a  record  of  how  many  packets,  traveling 
between  two  specific  computers,  crossed  a 
particular  point  on  your  network.  But  this 
record  has  an  incredible  amount  of  detail. 

For  example,  a  single  flow  record  might 
indicate  that  between  6:15:03  and  6:15:08  a 
total  of  531  packets  moved  from  port  80  on 
computer  HUTl  to  port  5535  on  computer 
DESK2.  Since  port  80  is  reserved  for  Web 
servers,  you  might  reasonably  expect  from 
this  flow  record  that  the  computer  HUTl 


was  running  a  Web  server  from  which 
PANDA2  downloaded  a  webpage.  That’s 
probably  good  news  if  HUTl  is  one  of  the 
servers  on  your  department’s  intranet.  It’s 
bad  news  if  HUTl  is  the  CEO’s  laptop  and 
PANDA2  is  an  unknown  computer  con¬ 
nected  to  your  wireless  network. 

The  most  popular  format  for  flow  records 
is  the  Cisco  NetFlow,  a  format  that  is  gener¬ 
ated  automatically  by  many  Cisco  routers. 
Here's  how  it  works:  The  job  of  even,-  router 
on  the  Internet  is  to  look  at  each  packet  it 
receives,  decide  which  of  the  router’s  neigh¬ 
bors  would  be  the  appropriate  next  hop  and 
send  the  packet  along.  For  a  home  router 
with  just  two  interfaces,  routing  is  relatively 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


December  2004  www.csoonline.com  57 


easy.  Packets  either  go  to  the  home  LAN  or 
to  an  upstream  Internet  provider.  But  for  a 
medium-size  corporate  router  that  has  five  or 
10  different  interfaces,  routing  decisions  can 
become  quite  complex.  Rather  than  recom¬ 
puting  the  next  hop  for  every  packet,  the 
router  computes  the  answer  once  and  saves 
it  in  a  piece  of  high-speed  memory  called  the 
route  cache. 

Each  entry  in  the  route  cache  corresponds 
to  an  individual  packet  flow.  Of  course,  a 


router’s  route  cache  isn’t  infinitely  large; 
whenever  a  new  flow  starts  up,  the  router 
needs  to  take  the  oldest  flow  out  of  the  cache 
to  make  room.  A  few  years  ago,  these  expired 
cache  entries  were  thrown  away.  But  Cisco 
and  others  realized  they  could  be  useful,  so 
now  most  routers  make  it  possible  to  send 
the  old  cache  entries  to  a  logging  server. 

Monitor  the  Flow 

The  first  significant  use  of  flow  data  was 
for  billing  by  ISPs.  With  appropriate  post¬ 
processing,  it’s  not  hard  to  determine  total 
data  sent  within  a  particular  time  and  to 
measure  peak  throughput. 

These  days,  however,  flow  data  increasingly 
is  being  used  to  detect,  diagnose  and  under¬ 
stand  security  incidents.  Take  the  case  of  the 
CEO’s  laptop.  If  laptops  aren’t  supposed  to 
run  Web  servers  in  your  organization,  it’s  a 
simple  matter  to  detect  HTTP  flows  from 
unauthorized  hosts  and  generate  an  alarm. 

Flow  analysis  can  even  detect  worms.  Nor¬ 
mally  you  would  expect  to  see  that  laptop 
making  connections  to  the  organization’s 
servers  and  computers  beyond  the  organi¬ 
zation’s  firewall.  But  if  you  see  the  laptop 
systematically  opening  up  connections  to 
other  machines  throughout  your  network, 
this  might  indicate  that  it  has  been  infected. 
If  one  of  the  computers  the  laptop  touches 
starts  opening  up  connections  all  over  the 


organization,  then  almost  certainly  you  have 
a  worm.  You  can  review  the  machines  that 
connected  to  the  CEO’s  laptop,  before  it 
started  acting  funny,  to  determine  where  the 
infection  started. 

Working  with  flow  data  at  the  record-by- 
record  level  is  difficult  and  time-consuming. 
Fortunately  there  are  a  growing  number  of 
tools  that  will  monitor  your  flows,  produce 
reports  and  also  generate  alarms  on  suspi¬ 
cious  behaviors. 


One  of  the  most  sophisticated  enterprise 
flow  management  tools  is  the  Mazu  Networks 
Profiler.  Mazu  can  collect  flow  data  using 
either  the  company’s  proprietary  sensors  or 
directly  from  Cisco  or  Juniper  routers.  The 
data  is  sent  over  your  network  to  a  Profiler 
appliance,  where  it  is  stored  on  a  multiter¬ 
abyte  storage  array.  You  interact  with  the 
system  through  a  slick  Web-based  applica¬ 
tion  using  the  appliance’s  built-in  Web 
server. 

After  you’ve  installed  the  Mazu  hardware, 
you  need  to  teach  the  system  about  the  topol¬ 
ogy  of  your  internal  network.  Ideally,  you  do 
this  by  importing  your  carefully  maintained 
list  of  all  the  desktops,  servers,  laptops  and 
other  network  hosts  in  your  organization.  Of 
course,  most  organizations  don’t  maintain 
such  lists,  so  Profiler  has  an  “autodiscovery” 
mode  in  which  it  figures  this  information  out 
for  you  by  surveying  your  traffic.  In  this 
mode,  the  system  will  try  to  identify  clients 
and  servers  within  your  network,  group 
together  hosts  with  similar  behaviors  and 
then  present  that  data  graphically  to  the 
operator. 

Mazu  Vice  President  of  Marketing  Tom 
Corn  describes  the  company’s  experience 
with  “autodiscovery.”  On  one  of  Mazu’s  first 
deployments,  Profiler  discovered  a  group  of 
laptops  that  were  establishing  VPN  connec¬ 
tions  with  an  outside  network.  It  turns  out 


that  Mazu’s  customer  had  hired  a  system 
integration  firm  to  do  some  custom  database 
work.  The  consultants  had  been  given  IP 
addresses  inside  the  customer’s  network  and 
had  proceeded  to  open  VPN  connections 
back  to  their  home  network  so  that  they 
could  check  their  mail,  access  files  and  gen¬ 
erally  get  their  work  done. 

So  far,  so  good.  But  upon  further  investi¬ 
gation,  it  turned  out  that  the  consultants  were 
doing  a  lot  more  than  e-mail  and  file  sharing: 
They  were  exploring  their  client’s  internal 
network,  systematically  opening  connections 
to  more  than  30  different  locations.  Some  of 
these  connections  were  legitimate,  but  others 
were  probably  inappropriate  poking  around. 
Once  the  issue  was  identified,  Profiler  was 
handed  a  policy  that  described  where  in  the 
client’s  network  the  consultants  were  allowed 
access  and  where  they  were  not.  The  system 
was  programmed  to  generate  an  alert  if  this 
policy  was  violated  so  that  the  client  could 
handle  the  infringement  in  an  appropriate 
manner. 

One  challenge  with  enforcing  policy  based 
on  flow  information  is  that  many  computers 
have  dynamically  assigned  IP  addresses. 
Mazu  handles  this  by  analyzing  the  log  files 
generated  by  Dynamic  Host  Configuration 
Protocol  (DHCP)  servers.  This  allows  policies 
and  reports  to  be  based  on  actual  names 
rather  than  on  dynamically  changing  IP 
addresses. 

Analyze  the  Flow 

Flow  analysis  can  detect  many  kinds  of  secu¬ 
rity  incidents  that  might  make  it  past  a  sig¬ 
nature-based  antivirus  or  intrusion  detection 
system  (IDS).  That’s  because  signature-based 
systems  typically  look  inside  the  data  of  each 
packet  for  specific  kinds  of  attacks— they 
might  generate  an  alert  when  a  packet  con¬ 
taining  part  of  the  Code  Red  virus  passes 
over  the  network,  for  example.  Signature 
identification  fails  to  detect  new  attacks, 
of  course,  but  it  also  fails  to  find  attacks  pro¬ 
tected  by  encryption  or  those  that  are  spread 
over  a  long  period  of  time— the  so-called 
slow-and-stealthy  attacks. 

Because  flow  analysis  looks  at  behavior,  it 
can  raise  an  alert  on  worms  and  other  kinds 
of  malicious  programs  that  haven’t  been  seen 
before  but  that  have  characteristic  behavior. 
Mazu  delivers  its  system  with  heuristics  to 


If  laptops  aren’t  supposed  to  run 
Web  servers  in  your  organization,  it’s  a 
simple  matter  to  detect  HTTP  flows  from 
unauthorized  hosts  and  generate  an  alarm. 


58  www.csoonline.com  December  2004 


detect  a  number  of  potentially  hostile  situa¬ 
tions,  including  slow-stealthy  scans,  worms 
and  distributed  denial-of-service  attacks.  The 
system  will  also  report  new  services  or  hosts, 
services  or  hosts  that  have  gone  silent,  and  a 
wide  range  of  policy  violations. 

Although  systems  like  Profile  are  usually 
deployed  to  increase  an  enterprise’s  security, 
frequently  they  become  operational  tools  to 
improve  performance.  For  example,  one  of 
Mazu’s  early  customers  called  the  company 
up  shortly  after  the  technology  was  deployed 
to  complain  that  Profiler  wasn’t  working 
properly.  “It  showed  that  a  significant  portion 
of  their  traffic  was  IPv6,”  and  the  customer 
was  sure  it  wasn’t  running  Internet  Protocol 
version  6,  recalls  Corn. 

Although  most  computers  on  the  Inter¬ 
net  today  use  IPv4,  many  organizations  plan 
to  switch  to  IPv6.  As  a  result,  practically  every 
modern  operating  system  has  support  for 
both  IPv4  and  IPv6.  Most  organizations, 
though,  keep  IPv6  turned  off. 

More  investigation  revealed  that  the  net¬ 
work  was  in  fact  running  IPv6  on  all  of  its 
desktops,  but  on  none  of  its  servers.  As  a 
result,  every  connection  to  every  server  was 
first  tried  with  IPv6,  and  then  when  that 
failed,  it  was  tried  again  with  IPv4.  Not  only 
did  this  generate  a  lot  of  extraneous  traffic,  it 
also  slowed  down  the  perceived  network  per¬ 
formance.  But  the  network  managers  had  no 
idea  that  this  was  happening.  Once  the  prob¬ 
lem  was  identified,  it  was  a  simple  matter  to 
reconfigure  the  desktops.  Things  ran  con¬ 
siderably  faster  after  that. 

If  you  are  interested  in  flow  analysis  but 
don’t  want  to  shell  out  the  money  for  Mazu, 
check  out  ntop  ( www.ntop.org ),  an  open- 
source  NetFlow  system. 

And  remember:  While  flow  analysis  is  use¬ 
ful,  it  has  some  serious  shortcomings.  That’s 
because  flow-based  systems  look  only  at  the 
packet  headers.  They  don’t  look  at  the  actual 
data  that’s  moving  over  your  network.  They 
can’t  tell  the  difference  between  an  e-mail 
message  that  has  attached  a  photo  of  some¬ 
one’s  high  school  sweetheart  and  one  that 
has  a  copy  of  your  organization’s  confidential 
product  development  plans.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based 
in  the  Boston  area.  He  can  be  reached  via  e-mail  at 
machineshop4cxo.com. 


Off  Padlocks  and 

In  college,  I  worked  as  a  “night  attendant”  at  my 
900-plus  student  dormitory.  The  main  doors  were 
locked  at  midnight;  after  hours,  residents  could 
enter  only  by  showing  the  night  attendant  a  room 
key.  Displeased  by  the  school’s  no-overnight- 
guests  rule,  many  enterprising  students  discovered 
the  time-honored  tactic  known  as  "passback"— one 
shows  the  key,  enters  and  goes  upstairs,  and  then 
drops  the  key  out  a  window  so  his  guest  can  gain 
entry  by  presenting  the  unsuspecting  (read:  poorly 
trained)  night  attendant  with  the  same  key. 

Access  control  has  come  a  long  way  since  then. 
Today's  building  access  systems  typically  use 
swipe  cards  or  proximity  badges  and,  among  many 
other  data-driven  features,  are  smart  enough  to 
prevent  passback.  (In  some  buildings,  for  example, 
a  card  must  be  used  for  egress  before  the  system 
will  authorize  its  use  for  entry  again.  But  that's  just 
the  tip  of  the  technical  iceberg.  The  following  new 
products  illustrate  various  ways  that  access  control 
is  getting  smarter  and,  increasingly,  more  tightly 
integrated  with  other  aspects  of  building  and 
network  management. 

TAC  I/Net  Seven  www.tac-global.com 
TAC’s  slogan  is  “open  systems  for  building  IT,"  and 
the  I/Net  Seven  suite  integrates  security  control 
features  (including  CCTV,  badging  and  alarm  moni¬ 
toring)  with  other  building  management  functions, 
including  HVAC  and  lighting  control. 

S2’s  NetBox  www.s2securitycorp.com 
NetBox  is  a  new  building  security  appliance  prod¬ 
uct  (officially  announced  in  June)  offering  browser- 
based  control  from  anywhere  on  the  network.  Its 
features,  in  some  cases  through  plug-in  modules, 
include  access  control  and  monitoring  of  alarms, 

IP  videocameras,  intercom  and  temperature.  Addi¬ 
tionally,  the  system  can  store  related  information 
such  as  vehicle  data  for  parking  lot  checks. 

Synergistics’  Presidio  www.synergisticsinc.com 
Presidio  is  a  building  access  control  software  suite; 
users  deploy  it  on  a  Web  server  and  again  use  a 
standard  browser  for  centralized  configuration 
and  monitoring  of  card  readers  and  doors.  The  sys¬ 
tem  provides  multiple  customizable  access  levels 
and  operator  levels;  alarm  notifications  that  can  be 
routed  to  pagers  or  through  e-mail;  and  historical 
logs  with  numerous  filtering  and  reporting 
capabilities. 


Passwords 

CoreStreet  www.corestreet.com  and 

Assa  Abloy  www.assaabloy.com 

This  fall,  CoreStreet  and  Swedish  lock  maker 

Assa  Abloy  announced  a  most  interesting  twist 

on  access  management,  which  the  two  companies 

tout  as  “the  world’s  first  disconnected  intelligent 

door  locks.” 


CoreStreet’s  president,  Phil  Libin,  says  his 
company’s  goal  was  to  solve  the  problem  he 
describes  as  “distributed  validation-how  do  you 
prove  that  you’re  allowed  to  do  whatever  you’re 
doing,  if  [the  authorization  system]  can’t  rely  on 
real-time  access  to  a  central  database?"  The 
solution  involves  locks  that  read  and  write  digital 
authentication  certificates.  Every  employee’s  card 
that  is  swiped  at  a  networked  location  is  checked 
against  the  central  access  control  database,  which 
writes  a  time-sensitive,  encrypted  certificate 
(essentially  just  a  small  amount  of  data)  onto  the 
card— yes,  Larry  is  authorized  to  go  through  this 
door  at  this  time.  Non-networked  doors  look  for 
that  certificate  on  the  card.  The  twist  is  that  the 
networked  door  also  uses  Larry’s  card  to  dissemi¬ 
nate  updates  about  other  employees’  authoriza¬ 
tions.  If  another  employee,  Joe,  is  fired  at  5  p.m. 
on  Tuesday,  every  door  that  reads  Larry's  card 
on  Wednesday  also  will  be  updated  about  Joe's 
nonauthorized  status. 

Assa  Abloy  has  licensed  CoreStreet’s  certificate 
technology  (dubbed  KeyFast)  for  use  across  all  the 
Swedish  company’s  units,  which  include  more 
familiar  U.S.  brands  such  as  lock  company  Yale 
Residential  Security  Products  and  smart-card 
maker  HID.  At  roughly  $1,000  per  lock/reader, 
this  is  not  cheap  stuff,  but  CSOs  with  the  right 
mix  of  distributed,  sensitive  facilities  may  find 
it  a  useful  solution.  -Derek  Slater 


December  2004  www.csoonline.com  59 


CSO  Undercover 


m 


Revenge  of  the 
PKI  Nerds 

Wherein  a  very  patient  CSO  hatches  a  plan  to  revive  a 
technology  thought  to  be  dead  By  Anonymous 


In  retrospect,  there  were  good  reasons  why  PKI  was 
joined  at  the  hip  with  the  dotcom  boom  and  bust.  In  the 
early  ’90s,  every  businessman  had  the  same  dream:  a 
global  marketplace  of  buyers  and  sellers  linked  together 
in  cyberspace.  The  only  problem  was  that  conducting 
business  over  the  Internet  required  authentication  and 
encryption  technology— the  former  to  identify  the  buyer 
or  the  seller  in  a  legally  binding  fashion,  and  the  latter  to 
protect  the  sensitive  information  being  transmitted. 

Authentication  was  being  handled  at  the  time  (and 
still  is)  with  traditional  user  names  and  passwords,  which 
are  clumsy  but  workable.  The  problem  was  encryption. 
Traditional  symmetric  encryption  technology  required 
that  the  sender  and  receiver  both  have  the  same  encryp¬ 
tion  key.  How  could  you  get  a  secret  encryption  key  to 
someone  in  cyberspace?  PKI  offered  the  solution. 

Here’s  how  it  would  work.  A  public  key  could  be  pub¬ 
lished  through  a  certificate  issued  by  a  trusted  third  party 
or  CA.  The  corresponding  private  key  could  be  kept  under 
the  user’s  control.  The  sender  could  take  the  receiver’s 
public  key  from  a  published  certificate,  encrypt  informa¬ 
tion  using  that  public  key  and  send  the  encrypted  text  to 
the  receiver.  The  receiver  could  then  decrypt  the  infor¬ 
mation  using  the  private  key.  You  could  also  establish  the 
identity  of  people  with  digital  signatures.  I  got  authen¬ 
tication;  I  got  encryption;  I  got  nonrepudiation.  Who 
could  ask  for  anything  more? 

PKI  originally  had  some  great  successes.  All  those  neat 
little  SSL  sessions  on  the  Internet— you  know,  the  ones 
with  the  little  lock  at  the  bottom  of  the  browser’s 
screen— were  enabled  using  PKI  technology.  The 
difference  is,  those  certificates  are  held  on  the 
server  side.  They  are  easily  deployed 
because  servers  are  administered  by 
technical  people  and  be¬ 
cause  companies  have  in¬ 
centives  to  make  their 
servers  secure. 

The  problem  arose 
with  deploying  cer¬ 
tificates  on  the  client 
side— with  the  cus¬ 
tomers.  The  PKI 
dream  was  to  get  a  certificate 
on  every  home  computer.  That’s  where  the  bucks  were  to 
be  had.  But  the  technology  was  too  complicated  for  Joe 
Consumer  to  understand.  Not  only  that,  but  e-commerce 
appeared  to  be  working  perfectly  well  with  the  tried-and- 
tested  user  name  and  password.  Before  you  knew  it,  the 
e-commerce  market  tired  of  all  the  PKI-ers’  schmaltzy 
talk  and  went  about  trying  to  make  a  dollar. 

With  the  end  of  the  dotcom  era,  PKI  companies  such 
as  Certco  and  Baltimore  went  belly-up.  VeriSign  weath- 


RECENTLY  NOTICED  A  CURIOUS  PHENOMENON.  Public  Key  Infra¬ 
structure,  once  rumored  to  be  dead,  is  making  a  comeback.  Several  high-profile 
institutions  are  now  deploying  a  technology  that  I  assumed  had  been  extinct 
since  the  dot-bomb  era.  It’s  sort  of  technology’s  version  of  the  coelacanth.  This  was 
a  fish  that  was  assumed  to  have  been  extinct  for  hundreds  of  thousands  of  years 
and  then— bam!— one  turns  up  in  a  fisherman’s  net  off  the  coast  of  Madagascar. 

I  admit  I  have  a  certain  fondness  for  Public  Key  Infrastructure,  or  PKI  as  it  is 
commonly  known— at  least  that  is  the  three-letter  version. 

PKI  is  commonly  described  using  choice 
four-letter  words  as  well.  That’s  be¬ 
cause  it  came  into  favor— and 
just  as  ingloriously  fell  out  of 
it— with  the  boom  of  the  ’90s.  . .< 

I  should  know,  because  I 
cut  my  security  teeth  on  the 
bleeding  edge  of  PKI.  In  1992,  I  took  a 
position  as  the  director  of  electronic  commerce  with 
a  company  that  sought  to  deploy  a  global  certificate 
authority  (CA)  that  would  issue  the  digital  certificates 
used  to  process  PKI.  Under  our  plan,  all  other  CAs 
would  be  subordinate  to  us,  and  we  would  sit  atop  a 
giant  pyramid  scheme  raking  in  monopoly  profits  by 
charging  pennies  on  all  the  billions  of  e-commerce  trans¬ 
actions  around  the  world. 

The  only  problem  was  that  other  PKI  companies  were 
busy  scheming  with  their  own  plans  to  take  over  the  e- 
commerce  world.  While  we  were  plotting  against  each  other, 
we  forgot  to  actually  deploy  the  technology.  After  a  few  years 
of  hand  waving,  PowerPoint  presentations  and  whiteboard  discussions,  investors 
began  demanding  that  we  start  earning  our  keep  by  making  a  profit.  Silly  realists! 


Dropping  the  Dot  Bomb 

The  bottom  soon  fell  out  of  the  dotcom  market,  and  the  next  thing  we  knew,  we 
were  all  posting  our  resumes  on  Monster.com.  I  was  lucky  and  found  a  job  as 
CISO;  others  in  the  business  were  not  so  fortunate.  Every  now  and  again,  when 
I  have  lunch  with  an  old  acquaintance,  we  reminisce  about  the  good  ol’  days  of 
nonprofit  technology  hedonism  and  gossip  about  what  company  ol’  so-and-so 
eventually  wound  up  with. 


60  www.csoonline.com  December  2004 


PHOTO-ILLUSTRATION  BY  STEPHEN  WEBSTER 


ered  the  storm  primarily  because  it  was  in  the 
business  of  supplying  the  needed  server-side 
certificates  and  also  because  it  diversified. 
There  are  other  PKI  companies  that  survived 
but  now  live  a  zombielike  existence  of  the 
undead,  making  just  enough  money  to  stay 
alive  but  never  enough  to  return  to  their  for¬ 
mer  glory  days. 

Back  to  the  Future? 

So  what  gives  with  the  latest  interest  in  PKI? 
Much  of  it  stems  from  the  fact  that  PKI  tools 
have  matured  and  are  more  intuitive.  A  sec¬ 
ond  reason  is  that  the  industry  is  coming  out 
of  a  trough  in  the  business  cycle.  Third,  PKI 
is  still  a  viable  technology  that  can  solve  cer¬ 
tain  application  security  problems. 

This  doesn’t  mean  we  have  conquered  the 
problem  of  client-side  authentication.  If  you 


look  closely  at  the  latest  deployments— such 
as  802. IX  for  device  authentication,  digitally 
signed  software  and  VPN  encryption— you’ll 
see  that  the  applications  use  PKI  for  pur¬ 
poses  other  than  client-side  authentication. 

That’s  curious,  especially  considering  the 
concern  about  phishing  scams  and  identity 
theft.  Citibank  and  American  Express,  for 
example,  have  launched  major  marketing 
campaigns  to  demonstrate  how  well  they 
guard  their  clients  from  identity  theft.  Yet 
for  all  their  talk  about  stopping  identity  theft, 
their  customers’  only  option  for  online  bank¬ 
ing  remains  user  name  and  password.  Given 
the  threat,  the  time  is  ripe  for  a  large-scale 
deployment  of  client-side  certificates. 

Instead,  companies  are  adding  security 
technologies  that  are  considered  more  user- 
friendly,  such  as  biometrics  and  secure  ID 
cards,  which  generate  a  random  number 
that’s  used  in  addition  to  a  password.  AOL, 
for  example,  will  begin  offering  secure  IDs. 
Digital  certificates  are  still  seen  as  too  diffi¬ 
cult  to  deploy,  administer  and  explain. 

So  what  are  we  doing  at  my  company? 
There’s  no  talk  yet  of  large-scale,  client-side 


application  usage,  but  I  have  my  own  hidden 
agenda.  The  old  saying  about  PKI  is  that  the 
first  certificate  costs  hundreds  of  thousands 
of  dollars,  and  the  second  costs  a  penny. 
That’s  because  you  have  to  build  the  infra¬ 
structure  first.  Once  that  is  complete,  you 
can  leverage  that  infrastructure  for  a  host  of 
different  applications. 

Using  that  philosophy,  I’ve  managed  to  get 
my  PKI  project  attached  to  an  internal  proj¬ 
ect  with  high  visibility  among  senior  man¬ 
agers:  single  sign-on.  Everyone  is  demanding 
single  sign-on.  Once  the  infrastructure  is  built 
and  successfully  supporting  that  project,  I 
can  start  promoting  it  as  a  cheaper  security 
solution  for  other  internal  applications— 
which,  incidentally,  will  include  client-side 
applications  such  as  S/MIME  for  encrypted, 
digitally  signed  e-mail. 


If  I’m  successful  internally,  then  I  will  start 
promoting  its  usage  to  our  clients  as  a  means 
of  authenticating  themselves  for  our  financial 
service  applications.  Since  our  client  base 
numbers  in  the  hundreds  of  thousands,  even¬ 
tually  I  expect  to  have  one  of  the  few  large- 
scale,  consumer-based  deployments  of  client- 
side  certificates.  Revenge  will  be  sweet. 

Missed  Opportunities 

But  what  if  the  entire  industry  could  find  a 
way  to  get  the  last  laugh?  Not  to  sound  too 
’90s,  but  vendors  are  missing  a  great  oppor¬ 
tunity.  The  need  for  greater  client-side  secu¬ 
rity  is  there;  PKI  desperately  needs  to  evolve 
to  meet  that  need.  One  solution  is  placing  the 
client  certificate  in  firmware  (for  example, 
in  chips)  to  make  the  certificate  transparent 
to  the  user. 

Imagine,  say,  an  iPod  with  the  same  func¬ 
tionality  as  a  PDA  (messaging,  calendars,  cell 
phone  and  so  on)  and  an  embedded  digital 
certificate.  The  device  could  be  registered  in 
a  process  that  linked  its  preloaded  certificate 
with  the  user’s  account  information.  Then, 
the  user  could  download  music  files  using 


the  certificate  for  encryption,  authentication 
and  payment.  But  this  would  be  only  the 
beginning.  Other  applications  could  be 
added,  such  as  stock  trading,  encrypted 
phone  conversations  and  online  gaming. 

Of  course,  the  race  goes  only  to  the  swift, 
and  there  are  several  competing  technolo¬ 
gies.  On  the  low  end  is  the  secure  ID,  which 
has  an  enviable  track  record  of  being  com¬ 
pact,  easy  to  understand  and  easy  to  deploy. 
But  the  devices  do  nothing  for  encrypting 
sensitive  information.  They  still  require  the 
user  to  input  a  user  name  and  password  and 
have  to  be  replaced  every  five  years  because 
of  the  battery’s  lifetime. 

On  the  high  end  is  biometrics,  which 
seems  to  have  become  the  greatest  technol¬ 
ogy  never  actually  deployed.  The  problem 
with  biometrics  is  that,  while  consumers 
think  nothing  of  giving  their  credit  card  to  a 
teenage  waiter,  if  you  ask  for  a  fingerprint,  it’s 
“Hey  pal,  back  off!”  Biometrics  are  still  con¬ 
sidered  much  too  intrusive.  But,  you  never 
know— people’s  fear  of  identity  theft  might 
just  overcome  their  fear  of  Big  Brother. 

Now  that  we’re  out  of  the  box,  let’s  stretch 
our  legs  and  our  imaginations  a  bit  more. 
Suppose  we  married  PKI  and  biometrics. 
You  could  have  a  memory  stick  that  con¬ 
tained  your  personal  details  and  signing/ 
encryption  keys.  Linked  to  the  memory  stick 
would  be  a  biometric  fingerprint  sensor.  To 
access  the  personal  information,  you  would 
have  to  pass  a  fingerprint  scan.  You  could 
take  the  memory  stick  anywhere  and  plug  it 
into  whatever  device  needed  your  authenti¬ 
cation.  That  sounds  a  lot  better  than  toting 
medical  records,  academic  transcripts,  dri¬ 
ver’s  licenses  and  all  the  other  flotsam  and 
jetsam  of  records  that  accompany  us 
throughout  our  lives.  Sound  futuristic?  Not 
really.  In  fact,  one  company,  Spyrus,  already 
has  such  a  device  on  the  market. 

If  any  of  this  takes  off,  it  may  be  that  PKI 
will  soon  make  a  genuine  comeback.  That 
should  give  me  new  fodder  for  the  next  time 
I  get  together  with  my  old  PKI  war  buddies 
from  back  in  the  day.  I  can  hear  it  now.  “Hey, 
did  you  hear  that  ol’  so-and-so  got  hired  to 
implement  a  PKI  solution  over  at....”  ■ 

This  column  is  written  anonymously  by  a  real  CSO.  Send 
your  comments  via  e-mail  to  csoundercover  ^cxo.com. 


theft,  customers’  only  < 
remains  user  name  an 


’  only  option  for  online  banking 
me  ana  password. 


December  2004  www.csoonline.com  61 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and  Services 

CSO  Sales  Offices 

President  and  CEO 

Walter  Manninen  •  508  935-4101 

Group  Publisher 

Gary  J.  Beach  •  508  935-4202 

Publisher  Bob  Bragdon  •  508  935-4443 

Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 

East  Coast 

East  Coast  Regional  Manager 

Roz  Burke  •  508  935-4163 

Regional  Sales  Director 
Kathy  Powers  •  201  634-2331 

Sales  Assistant 

Christine  Hopkins  •  508  988-7836 

Midwest 

Regional  Sales  Director 

Robert  E.  Sawdon  •  512  306-9801 

Senior  District  Sales  Manager 
Beth  DeVillez  •  847  441-3140 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 

Senior  Regional  Sales  Manager 
Ai  Collins  •  415  975-2686 

List  Services 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 
Stephanie  Roy  •  508  935-4151 

Online  Services 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 

Online  Sales  Manager 
Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director 

Michael  Siggins  •  508  988-6763 
Director  Mary  Gregory  •  508  988-6765 

Director  of  Content  Development 

Tom  Field 

Project  Managers 

John  Danielowich,  Amy  Greenleaf, 

Kristen  Waelde 

Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 

Senior  Production  Coordinator 
Lisa  Stevenson 

Production  Coordinator 
Stephanie  Naughton 


Executive  Programs 

Senior  VP/Executive  Programs 

Jennifer  Richards 

Conference  Management  VP 

Cynthia  Mollus 

Marketing  Services  Director 
Shellie  Rapson  James 

Business  Development  Director  John  Vulopas 
Program  Operations  Manager  Brian  Fuce 
Marketing  Manager  Glede  Kabongo 

Marketing  Design  Specialist 
Andrea  Slobogan 

Senior  Client  Relations  Specialist 

Sandra  J.  Hughey 

Senior  Logistics  Coordinator  Michael  Barbato 
Event  Planning  Director  Amy  Turell 

Senior  Customer  Service  Coordinator 

Sarah  Yee 

Marketing 

Executive  VP/CMO 
Cathy  O'Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Publicist  Rick  Sheehy 
Publicist  Lori  Piscatelli 

Marketing  Research  Director 

Bridget  Cammarata 

Marketing  Research  Manager 

Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 

Partnership/Sponsorship  Coordinator 
Lynn  Holmlund 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescaro 

Reprint  Services 

For  article  reprints  (500  quantity  or  more), 
please  contact  Jackie  Day  at  RSiCopyright 
at  651  582-3856  or  e-mail  csoreprints@ 
rsicopyright.com.  For  further  sales  infor¬ 
mation,  visit  www.csoonline.com/reprints/ 
index.html. 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208,  508  872-0080. 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published  monthly 
by  CXO  Media  Inc.,  492  Old  Connecticut 
Path,  P.O.  Box  9208,  Framingham,  MA 
01701-9208.  Periodicals  Postage  Paid  at 
Framingham,  MA  01701,  and  at  additional 
mailing  offices.  Canadian  Publications  Mail 
agreement  number  1902075.  CANADIAN 
POSTMASTER:  Please  return  undeliverable 
copy  to  P.O.  Box  1632,  Windsor,  ON  N9A7C9. 

Permissions 

Copyright  2004  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  requests  to  Andrew  Burrell, 
CXO  Media  Inc.,  492  Old  Connecticut  Path, 
Framingham,  MA  01701.  Telephone  508 
935-4785.  E-mail  aburrell@cxo.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970.  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol: 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125.  CSO 
is  free  to  qualified  information  executives. 

To  all  others  the  one-year  basic  rate  is  $70 
for  the  United  States  and  Canada,  $95  to 
foreign  countries  (payable  in  U.S.  funds 
only),  The  single  copy  price  is  $9.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


Index  of  Companies 
and  Advertisers 

Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  has  a  sub¬ 
stantial  mention.  This  index  is  provided  as  a 
service  to  readers.  The  publisher  does  not 
assume  any  liability  for  errors  or  omissions. 


Company  Index 

Allstate  Corp.,  The . 13 

America  Online  Inc . 60 

American  Electric  Power  Co.  Inc . 24,  26 

American  Express  Co . 60 

Assa  Abloy  AB  . 57 

Bank  of  America  Corp . 26 

Bank  of  Montreal  . 26 

BlessingWhite  Inc . 38 

Capital  IQ  Inc . 34 

Cisco  Systems  Inc . 57 

Citibank  . 60 

Citigroup  Inc . 46 

CoreStreet  Ltd . 57 

eBay  Inc . 24,  44 

El  AI  Israel  Airlines  Ltd . 46 

Fallon  Worldwide  . 46 

Genzyme  Corp . 13 

George  Bush  Intercontinental  Airport  . .  .13 

Houston  Airport  System . 13 

Industrial  Light  &  Magic  . 38 

John  F.  Kennedy  International  Airport  . .  .13 

Juniper  Networks  Inc . 57 

Karakter . 46 

Levi  Strauss  &  Co . 34 

Logan  International  Airport  . 13 

Lucasfilm  Ltd . 38 

Mazu  Networks  Inc . 57 

Microsoft  Corp . 46 

OnStar  Corp . 46 

Relational  Technology  Services  Inc . 22 

Right  Management  Consultants  . 38 

S2  Security  Corp . 57 

Spyrus  Inc . 60 

Standard  &  Poor's  . 34 

Synergistics  Inc . 57 

TACAB  . 57 

VeriSign  Inc . 60 

Advertiser  Index 

Authenex  Inc . 7 

Computer  Associates  Inti.  Inc . C4 

CXO  Media  . 43,  48a,  49,  50,  63 

Enterasys  Networks . C3 

F5  Networks  Inc . 2 

HID . 5 

IBM  Corp . 37 

Information  Systems 

Audit  &  Control  Assoc . 21 

InfoSec  World  2005  . 41 

IPxray  LLC . 31 

IronPort  Systems  . 12 

Microsoft  Corp . 23 

MicroSolutions . 29 

Nokia  . 15 

RetroBox  . 9 

RSA  Conference  2005  . 56 

RSA  Security  Inc . 11 

SAGE  Inc . 51 

Software  House . 17 

Symantec  Corp . C2 

Webroot  Software  Inc . 19 


62  www.csoonline.com  December  2004 


Join  the  strategic  online  forum  for  today’s  top 


security  executives.. .AND  BE  PREPARED 


0r«ctlce, 


‘'“'vs  that  mrom"  ,v" 
'"P'oWng  mfl  b«, ! 

*"»Jng.  a„f  6*SI  P'«l 
^°fo‘ung  asoe  SGd 

Ersr"-*^, 


-:SsF 

sasas,*b- 

•»k  'le..,, 
r>v.fy 


cntcal 


■r?*unk* 

■  *<*««nb*  S,rv, 

‘"•‘lit  «.KfU 

SS,"-"- 

0da»'«  N»», 


0,*«*t*r  »»«., 
An«|y,4( 


**dd»e 

*  Cenlefb,^, 

^pB 

security, 

Pr»och 

’^ypuiput 


<*  C4,. 

«nr,fl  #ft 

rh„ 

*?• 

°*  f,rn  r«a, 
’*•  *h«*  Yo„ 


>in9  room. 


*  ^o«  TH ( 
,n  Tout#, 
Th®  stare 

**•  rant*, 
suitably  re 

tne  torthc, 


c 

Tu0/«OU,  , 

<•  Cod,  r, 
'  W.W 


So,n*  In 

c,»o>  So, 

Pfitnr-i  CUmb^<r 
n.  .n  j„n. 


6«  H.rlh 
1  *",rt  20-y, 
'!•  “*  *<*d< 
»>but.,n,  5<. 


■  L®«<J«r,fup 

9  pH° 

■  i4w‘  *  Comt 
D  ?»>»..■  Con 
Q  p,s*'  Ana/,,,, 

■  Priyacy 

■ 

I  Wptourt,., 

f2°  *«»««rch 
G<o»**rf 

*««Po n**  Ggi. 

P°fco>  Porgm 


“**]>■  CM) 
*  o#  th, », 
WmP«nvi 


Pnstact 


I '  irvtr  ‘•v  '••uk# 

1  Advnor 
1  Jobi 

o.,„, , , 


The  Resource  for 
Security  Executives 


.CSOonline.com 


CSOonline.com  is  a  unique  resource  for  CSOs  and 
other  top  security  executives.  Gain  access  to  the  tools 
you  need  to  make  the  right  decisions  to  stay  ahead  of 
the  curve. 

»Talk  with  security  industry  experts  and  the 
award-winning  CSO  magazine 
editorial  team 

»Connect  with  your  peers-  CSOs 
and  other  security  leaders 

»Stay  current  on  emerging  secu 
rity  issues  and  key 
challenges  you  face 

»Discuss  shared  problems  and 
viable  solutions  with  fellow 
CSOs 


»Leverage  successful  strate¬ 
gies  from  practitioners  and 
analysts 


Additional  resources  on  CSOonlme.com: 

TOPIC-FOCUSED  RESEARCH  CENTERS  provide  in^iepth 
examination  of  important  security  topics  with  critical 
articles,  research,  analyst  reports,  events,  case  studies 
and  more. 


WEB-EXCLUSIVE  CONTENT  updated  daily 


OPT-IN  NEWSLETTERS  keeping  you 
up  to  date  on  leadership  trends,  career 
strategies,  and  new  technologies. 

EXTENSIVE  LIBRARY  OF  WHITE 
PAPERS  on  topics  such  as  enterprise 
security,  risk  analysis,  identity  manage¬ 
ment  and  much  more. 


Toy  Swords  and  Bladder  Infections 


The  Year  in  Stupid  Security 


January 

The  Transportation  Security  Administration  has 
ordered  passengers  on  Australian  airline  Qantas 
not  to  queue  outside  toilets  while  making  the 
14-hour  flight  between  Australia  and  the  United 
States  and  is  demanding  that  pilots  make  a 
preflight  announcement  banning  passengers 
from  "congregating  in  groups  around  toilets  or 
anywhere  else  in  the  aircraft.” 

-The  Sydney  Morning  Herald 

February 

Richard  Albert  of  Township  15  Range  15,  Maine, 
was  fined  $10,000  by  the  Bureau  of  Customs 
and  Border  Protection  for  crossing  the  border 
at  a  closed  border  patrol  station.  Albert  was 
going  to  church  and  has  crossed  at  the  closed 
station  just  about  every  Sunday  for  decades; 
it's  30  yards  from  his  house.  He  was  told  to 
cross  at  the  closest  open  border  patrol  station, 
200  miles  away.  -The  Associated  Press 

March 

A  man  from  Angleton,  Texas,  went  on  a  four- 
day  drinking  spree,  allegedly  stealing  a  plane 
(despite  having  never  flown  one  before),  and 
crashing  the  two-seater  Cessna  into  100,000- 
volt  electricity  lines,  cutting  off  power  to  a  large 
area.  Officers  said  the  suspect  knew  the  air¬ 
port's  layout  because  he  had  performed  com¬ 
munity  service  there  for  a  previous  arrest. 

-Sky  News 

April 

For  two  days,  airport  security  screeners  refused 
to  let  Athena  LaPera,  35,  board  a  flight  to  Den¬ 
ver  because  they  said  she  no  longer  resembled 
her  identification  photos.  LaPera  had  lost 
weight  and  hair  because  of  chemotherapy 
treatments.  -The  Associated  Press 

May 

Amateur  photographer  Ian  Spiers  was  stopped 
for  the  second  time  for  taking  photos  of  a 
popular  Seattle  tourist  attraction,  Ballard 

SPECIAL  THANKS  TO  WWW.STUPIDSECURITY.COM 

64  www.csoonline.com  December  2004 


Locks.  Spiers  reports  that  he  showed  a 
copy  of  his  class  assignment.  The  officer 
left  but  soon  returned  with  seven  others,  all 
with  guns  holstered  on  their  hips.  An  agent 
with  Immigration  and  Customs  Enforce¬ 
ment  asked  to  take  Spiers’  photograph. 
According  to  Spiers,  when  he 
said  no,  "he  told  me,  'You  really 
don’t  have  a  choice.’” 

-The  Seattle  Times 

July 

Englishman  Peter  Ryan  said  French 
officials  seized  toy  swords  from  his 
two-year-old  twins  because  the 
swords,  which  they  got  at  EuroDisney 
as  part  of  their  Peter  Pan  outfits,  were 
classed  as  replica  weapons.  -BBC 

September 

Three  women,  including  a  Federal  Aviation 
Administration  air  traffic  controller,  came 
forward  to  the  Philadelphia  media  after  feeling 
violated  and  humiliated  by  TSA  screenings  that 
were,  as  one  of  the  women 
described  it,  "just  like  get¬ 
ting  a  breast  exam."  Local  TV 
station  KYW  reports  that  TSA 
investigated  the  first  case  and 
found  no  wrongdoing  but 
that  “screeners  have  been 
reminded  of  the  importance 
of  communicating  with  pas¬ 
sengers  during  the  screening 
process.”  -KYW-TV  Philadelphia 

December 

Airport  executives  in  Salt  Lake 
City  want  to  eliminate  the  city’s 
one  long-standing  exemption  to 
restrictions  on  low-flying  aircraft. 

That  exemption  allows  reindeer  to  fly 
in  the  restricted  airspace  on  Christmas 
Eve  only.  -Deseret  News 


ILLUSTRATION  BY  ZACHARY  PULLEN 


<>0...  U/H0'5  GONNA 
TAKE  THE  (.CAP 
ON  SCOURING  THE 
NETWORK? 


I  tK 

>;•*  J?  *.  ♦ 


New!  Matrix"'  X-Series 
Secure  Core  Router 

With  Terabit-speed  performance 
and  a  rich  feature  set,  the 
Matrix  X-Series  extends  our 
security  leadership  from  the 
edge  to  the  core.  Leam  more  at 
enterasys.  com/  x-series. 


PICK  M£. 
(FORRESTER  PIP.) 


'  / 


enterasys 

Networks  that  Know 


Securing  today’s  networks  is  a  tough  job.  Not  every  vendor  is  prepared  to  step  up  and  meet  your  strict  requirements 
(despite  their  claims  to  the  contrary).  Then  there’s  Enterasys.  Our  unique  Secure  Networks  solutions  embed 
security  intelligence  throughout  the  infrastructure.  This  means  that  wherever  a  threat  occurs,  you  can  identify 
and  contain  it  right  on  the  spot,  without  ever  impeding  critical  business  operations. 

How  far  ahead  are  we?  Forrester  Research  just  named  Enterasys  the  “clear  market  leader”  in  switch-based 
network  security,  ahead  of  Cisco,  Nortel,  Extreme  and  others. 

Don’t  leave  your  security  to  chance.  Find  out  why  more  and  more  enterprise  customers  like  you  are  picking  Enterasys; 
call  877-423-8074.  To  download  the  complete  Forrester  Wave  "  Report,  go  to  enterasys.com/marketleader. 


mm 

mr 

ijjjtajr* 

6^  -  \ 

Date:  February  14,  2005 
San  Francisco 

Visit  ca.com/etrust/workshop 

for  information  and  to  register  to  win. 


It  takes  an  integrated  security  solution  to  make  sure  the 
right  people  have  the  right  access  at  the  right  time. 

eTrusf  Identity  and  Access  Management  Solutions 

These  days,  a  vital  aspect  of  security  management  is  providing  customized 
levels  of  access  for  countless  employees  and  partners  while  also  protecting 
your  customers  from  identity  theft.  That's  one  complicated  job-and  one  that 
can  be  made  much  easier  with  CA's  eTrust  Identity  and  Access  Management 
(1AM)  Solutions.  They  enhance  security  and  reduce  costs  by  automating 
processes  and  enabling  self-administration,  in  addition  to  providing  policy-based 
cross-platform  protection  for  web,  mainframe,  and  application  resources 
enterprise  wide.  To  find  out  how  CA's  1AM  solutions  can  improve  your  business, 
attend  one  of  our  workshops,  ca.com/etrust/workshop 


<£.<  2004  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved. 
NO  PURCHASE  NECESSARY.  Visit  ca.eom'etrust/workshop  for  Official  Rules 
and  prize  details.  Must  register  by  January  5,  2005.  Must  be  21  or  older  to 
enter.  Void  outside  of  the  United  States,  in  Florida  and  where  prohibited. 


Computer  Associates® 


..  ^ 


i! 

iitr 

X  | 

m  v 

1 

WA  V 

